ºÝºÝߣ

ºÝºÝߣShare a Scribd company logo

Mobile Activesync Russian Roulette - Kiwicon 09

?
?
D
deathflu

As the popularity of communication (especially email) using mobile devices increases so does the risk of data leakage and data theft. This presentation will review Microsoft Mobile Activesync looking at transport layer security, controls enforced on the mobile devices and some potentially lethal fun (to the device anyway).

1 of 34
Mobile ActiveSync Russian Roulette Presented by Oliver ¡°death?u¡± Greiter assurance
Assurance / Oliver Greiter Assurance = compliance { penetration testing/ethical ¡°hacking¡±, review, audit }, wireless & mobility, UNIX/ Windows/network and security consulting/support Oliver = professional bio author and breaker of stuff assurance
Exchange ActiveSync - Based on HTML and XML - Platforms with Exchange ActiveSync compatible client - Allows users to access their e-mail, calendar, contacts, and tasks stored on Exchange server - Cheaper solution to implement (at ?rst glance) when compared to other solutions such as BlackBerry - ¡°Good¡± way to encourage (enslave) users to check corporate email on their own time assurance
Simple Diagram assurance
Default security con?guration - SSL transport layer protection (HTTPS) - Basic Auth - Device ID - ¡°Enforced¡± Device Security Policy assurance
Sample Sync Request POST /Microsoft-Server-ActiveSync?User=krudd&DeviceId=IMEI351878010074274 &DeviceType=IMEI351878010074274&Cmd=Sync HTTP/1.1 Host: autodiscover.dept.gov.au Accept-Encoding: gzip, de?ate, x-gzip, identity; q=0.9 Accept-Language: en-us Authorization: Basic UE1ca3J1ZGQ6V2FsbGFiaWVzIQ== Expect: 100-continue User-Agent: NokiaE61i/2.09(158)MailforExchange Content-Type: application/vnd.ms-sync.wbxml MS-ASProtocolVersion: 12.1 X-MS-PolicyKey: 1799664318 Content-Length: 68 jEOK1643522697R5U50WX2EF1G3072[1 assurance
Sample Sync Request POST /Microsoft-Server-ActiveSync?User=krudd&DeviceId=IMEI351878010074274 &DeviceType=IMEI351878010074274&Cmd=Sync HTTP/1.1 Host: autodiscover.dept.gov.au Accept-Encoding: gzip, de?ate, x-gzip, identity; q=0.9 Accept-Language: en-us Authorization: Basic UE1ca3J1ZGQ6V2FsbGFiaWVzIQ== Expect: 100-continue User-Agent: NokiaE61i/2.09(158)MailforExchange Content-Type: application/vnd.ms-sync.wbxml MS-ASProtocolVersion: 12.1 X-MS-PolicyKey: 1799664318 Content-Length: 68 jEOK1643522697R5U50WX2EF1G3072[1 assurance
Sample Sync Request POST /Microsoft-Server-ActiveSync?User=krudd&DeviceId=IMEI351878010074274 &DeviceType=IMEI351878010074274&Cmd=Sync HTTP/1.1 Host: autodiscover.dept.gov.au Accept-Encoding: gzip, de?ate, x-gzip, identity; q=0.9 Accept-Language: en-us Authorization: Basic UE1ca3J1ZGQ6V2FsbGFiaWVzIQ== Expect: 100-continue User-Agent: NokiaE61i/2.09(158)MailforExchange Content-Type: application/vnd.ms-sync.wbxml MS-ASProtocolVersion: 12.1 X-MS-PolicyKey: 1799664318 Content-Length: 68 jEOK1643522697R5U50WX2EF1G3072[1 assurance
Sample Sync Request POST /Microsoft-Server-ActiveSync?User=krudd&DeviceId=IMEI351878010074274 &DeviceType=IMEI351878010074274&Cmd=Sync HTTP/1.1 Host: autodiscover.dept.gov.au Accept-Encoding: gzip, de?ate, x-gzip, identity; q=0.9 Accept-Language: en-us Authorization: Basic UE1ca3J1ZGQ6V2FsbGFiaWVzIQ== Expect: 100-continue User-Agent: NokiaE61i/2.09(158)MailforExchange Content-Type: application/vnd.ms-sync.wbxml MS-ASProtocolVersion: 12.1 X-MS-PolicyKey: 1799664318 Content-Length: 68 jEOK1643522697R5U50WX2EF1G3072[1 assurance
Sample Sync Request POST /Microsoft-Server-ActiveSync?User=krudd&DeviceId=IMEI351878010074274 &DeviceType=IMEI351878010074274&Cmd=Sync HTTP/1.1 Host: autodiscover.dept.gov.au Accept-Encoding: gzip, de?ate, x-gzip, identity; q=0.9 Accept-Language: en-us Authorization: Basic UE1ca3J1ZGQ6V2FsbGFiaWVzIQ== Expect: 100-continue User-Agent: NokiaE61i/2.09(158)MailforExchange Content-Type: application/vnd.ms-sync.wbxml MS-ASProtocolVersion: 12.1 X-MS-PolicyKey: 1799664318 Content-Length: 68 jEOK1643522697R5U50WX2EF1G3072[1 assurance
Sample Sync Request POST /Microsoft-Server-ActiveSync?User=krudd&DeviceId=IMEI351878010074274 &DeviceType=IMEI351878010074274&Cmd=Sync HTTP/1.1 Host: autodiscover.dept.gov.au Accept-Encoding: gzip, de?ate, x-gzip, identity; q=0.9 Accept-Language: en-us Authorization: Basic UE1ca3J1ZGQ6V2FsbGFiaWVzIQ== Expect: 100-continue User-Agent: NokiaE61i/2.09(158)MailforExchange Content-Type: application/vnd.ms-sync.wbxml MS-ASProtocolVersion: 12.1 X-MS-PolicyKey: 1799664318 Content-Length: 68 jEOK1643522697R5U50WX2EF1G3072[1 assurance
Sample Sync Request POST /Microsoft-Server-ActiveSync?User=krudd&DeviceId=IMEI351878010074274 &DeviceType=IMEI351878010074274&Cmd=Sync HTTP/1.1 Host: autodiscover.dept.gov.au Accept-Encoding: gzip, de?ate, x-gzip, identity; q=0.9 Accept-Language: en-us Authorization: Basic UE1ca3J1ZGQ6V2FsbGFiaWVzIQ== Expect: 100-continue User-Agent: NokiaE61i/2.09(158)MailforExchange Content-Type: application/vnd.ms-sync.wbxml MS-ASProtocolVersion: 12.1 X-MS-PolicyKey: 1799664318 Content-Length: 68 jEOK1643522697R5U50WX2EF1G3072[1 assurance
Sample Sync Request POST /Microsoft-Server-ActiveSync?User=krudd&DeviceId=IMEI351878010074274 &DeviceType=IMEI351878010074274&Cmd=Sync HTTP/1.1 Host: autodiscover.dept.gov.au Accept-Encoding: gzip, de?ate, x-gzip, identity; q=0.9 Accept-Language: en-us Authorization: Basic UE1ca3J1ZGQ6V2FsbGFiaWVzIQ== Expect: 100-continue User-Agent: NokiaE61i/2.09(158)MailforExchange Content-Type: application/vnd.ms-sync.wbxml MS-ASProtocolVersion: 12.1 X-MS-PolicyKey: 1799664318 Content-Length: 68 jEOK1643522697R5U50WX2EF1G3072[1 assurance
autodiscover.{domain}.com Approximately 30% of ¡°Top 500 domains¡±* had an autodiscover hostname in DNS *http://www.seomoz.org/top500 assurance
assurance
assurance
MITM Attack ARP spoof? DNS poisoning? Fake WiFi Hotspot? Port re-direction? assurance
MITM Fun Sniff Traf?c - Emails, Contacts, Notes, User credentials (AD domain) Client Request Replay - Generate your own requests and replay them to the server Server Response Replay - Generate your own responses and replay them to the client assurance
Kill Command Replay assurance
Sample kill response HTTP/1.1 449 Retry after sending a PROVISION command Connection: Keep-Alive Date: Fri, 20 Nov 2009 22:29:31 GMT Content-Type: text/html Server: Microsoft-IIS/6.0 Cache-Control: private X-AspNet-Version: 2.0.50727 MS-Server-ActiveSync: 8.1 X-Powered-By: ASP.NET Content-Encoding: gzip Vary: Accept-Encoding Content-Length: 70 ? ¡­HUH.-.¡­?UH-*?/R??O)?IUH¡­O-V??/Q(JM?O??¡§JU(¡­?,?(¡°?¡®¡­n6 assurance
Sample kill response HTTP/1.1 449 Retry after sending a PROVISION command Connection: Keep-Alive Date: Fri, 20 Nov 2009 22:29:31 GMT Content-Type: text/html Server: Microsoft-IIS/6.0 Cache-Control: private X-AspNet-Version: 2.0.50727 MS-Server-ActiveSync: 8.1 X-Powered-By: ASP.NET Content-Encoding: gzip Vary: Accept-Encoding Content-Length: 70 ? ¡­HUH.-.¡­?UH-*?/R??O)?IUH¡­O-V??/Q(JM?O??¡§JU(¡­?,?(¡°?¡®¡­n6 assurance
Sample kill response HTTP/1.1 449 Retry after sending a PROVISION command Connection: Keep-Alive Date: Fri, 20 Nov 2009 22:29:31 GMT Content-Type: text/html Server: Microsoft-IIS/6.0 Cache-Control: private X-AspNet-Version: 2.0.50727 MS-Server-ActiveSync: 8.1 X-Powered-By: ASP.NET Content-Encoding: gzip Vary: Accept-Encoding Content-Length: 70 ? ¡­HUH.-.¡­?UH-*?/R??O)?IUH¡­O-V??/Q(JM?O??¡§JU(¡­?,?(¡°?¡®¡­n6 assurance
Symbian OS Nokia N95 Mail for Exchange v2.9.158 assurance
Symbian OS Nokia N95 Mail for Exchange v2.9.158 assurance
iPhone OS iPhone 3G iPhone OS v3.1.2 assurance
iPhone OS iPhone 3G iPhone OS v3.1.2 assurance
Windows Mobile 6.1 Dell AXIM X51v PDA Windows Mobile 6.1 assurance
Windows Mobile 6.1 Dell AXIM X51v PDA Windows Mobile 6.1 assurance
What just happened? assurance
In an ideal world... - Valid SSL Certi?cate on server - Unique Client Certi?cate on each device - Device (and storage card) encryption - Access to restricted to private Cell Network Access Point Name (APN) - HTTP Digest authentication - Exchange ActiveSync domain segregation - User education assurance
Application Improvement How about introducing session management as a default component of the application? assurance
Where to from here? 3G MITM Attacks? assurance
Danke - y011 - kiwicon cr¨¹e assurance
Questions? oliver.greiter@assurance.com.au assurance

More Related Content

Mobile Activesync Russian Roulette - Kiwicon 09

  • 1. Mobile ActiveSync Russian Roulette Presented by Oliver ¡°death?u¡± Greiter assurance
  • 2. Assurance / Oliver Greiter Assurance = compliance { penetration testing/ethical ¡°hacking¡±, review, audit }, wireless & mobility, UNIX/ Windows/network and security consulting/support Oliver = professional bio author and breaker of stuff assurance
  • 3. Exchange ActiveSync - Based on HTML and XML - Platforms with Exchange ActiveSync compatible client - Allows users to access their e-mail, calendar, contacts, and tasks stored on Exchange server - Cheaper solution to implement (at ?rst glance) when compared to other solutions such as BlackBerry - ¡°Good¡± way to encourage (enslave) users to check corporate email on their own time assurance
  • 5. Default security con?guration - SSL transport layer protection (HTTPS) - Basic Auth - Device ID - ¡°Enforced¡± Device Security Policy assurance
  • 6. Sample Sync Request POST /Microsoft-Server-ActiveSync?User=krudd&DeviceId=IMEI351878010074274 &DeviceType=IMEI351878010074274&Cmd=Sync HTTP/1.1 Host: autodiscover.dept.gov.au Accept-Encoding: gzip, de?ate, x-gzip, identity; q=0.9 Accept-Language: en-us Authorization: Basic UE1ca3J1ZGQ6V2FsbGFiaWVzIQ== Expect: 100-continue User-Agent: NokiaE61i/2.09(158)MailforExchange Content-Type: application/vnd.ms-sync.wbxml MS-ASProtocolVersion: 12.1 X-MS-PolicyKey: 1799664318 Content-Length: 68 jEOK1643522697R5U50WX2EF1G3072[1 assurance
  • 7. Sample Sync Request POST /Microsoft-Server-ActiveSync?User=krudd&DeviceId=IMEI351878010074274 &DeviceType=IMEI351878010074274&Cmd=Sync HTTP/1.1 Host: autodiscover.dept.gov.au Accept-Encoding: gzip, de?ate, x-gzip, identity; q=0.9 Accept-Language: en-us Authorization: Basic UE1ca3J1ZGQ6V2FsbGFiaWVzIQ== Expect: 100-continue User-Agent: NokiaE61i/2.09(158)MailforExchange Content-Type: application/vnd.ms-sync.wbxml MS-ASProtocolVersion: 12.1 X-MS-PolicyKey: 1799664318 Content-Length: 68 jEOK1643522697R5U50WX2EF1G3072[1 assurance
  • 8. Sample Sync Request POST /Microsoft-Server-ActiveSync?User=krudd&DeviceId=IMEI351878010074274 &DeviceType=IMEI351878010074274&Cmd=Sync HTTP/1.1 Host: autodiscover.dept.gov.au Accept-Encoding: gzip, de?ate, x-gzip, identity; q=0.9 Accept-Language: en-us Authorization: Basic UE1ca3J1ZGQ6V2FsbGFiaWVzIQ== Expect: 100-continue User-Agent: NokiaE61i/2.09(158)MailforExchange Content-Type: application/vnd.ms-sync.wbxml MS-ASProtocolVersion: 12.1 X-MS-PolicyKey: 1799664318 Content-Length: 68 jEOK1643522697R5U50WX2EF1G3072[1 assurance
  • 9. Sample Sync Request POST /Microsoft-Server-ActiveSync?User=krudd&DeviceId=IMEI351878010074274 &DeviceType=IMEI351878010074274&Cmd=Sync HTTP/1.1 Host: autodiscover.dept.gov.au Accept-Encoding: gzip, de?ate, x-gzip, identity; q=0.9 Accept-Language: en-us Authorization: Basic UE1ca3J1ZGQ6V2FsbGFiaWVzIQ== Expect: 100-continue User-Agent: NokiaE61i/2.09(158)MailforExchange Content-Type: application/vnd.ms-sync.wbxml MS-ASProtocolVersion: 12.1 X-MS-PolicyKey: 1799664318 Content-Length: 68 jEOK1643522697R5U50WX2EF1G3072[1 assurance
  • 10. Sample Sync Request POST /Microsoft-Server-ActiveSync?User=krudd&DeviceId=IMEI351878010074274 &DeviceType=IMEI351878010074274&Cmd=Sync HTTP/1.1 Host: autodiscover.dept.gov.au Accept-Encoding: gzip, de?ate, x-gzip, identity; q=0.9 Accept-Language: en-us Authorization: Basic UE1ca3J1ZGQ6V2FsbGFiaWVzIQ== Expect: 100-continue User-Agent: NokiaE61i/2.09(158)MailforExchange Content-Type: application/vnd.ms-sync.wbxml MS-ASProtocolVersion: 12.1 X-MS-PolicyKey: 1799664318 Content-Length: 68 jEOK1643522697R5U50WX2EF1G3072[1 assurance
  • 11. Sample Sync Request POST /Microsoft-Server-ActiveSync?User=krudd&DeviceId=IMEI351878010074274 &DeviceType=IMEI351878010074274&Cmd=Sync HTTP/1.1 Host: autodiscover.dept.gov.au Accept-Encoding: gzip, de?ate, x-gzip, identity; q=0.9 Accept-Language: en-us Authorization: Basic UE1ca3J1ZGQ6V2FsbGFiaWVzIQ== Expect: 100-continue User-Agent: NokiaE61i/2.09(158)MailforExchange Content-Type: application/vnd.ms-sync.wbxml MS-ASProtocolVersion: 12.1 X-MS-PolicyKey: 1799664318 Content-Length: 68 jEOK1643522697R5U50WX2EF1G3072[1 assurance
  • 12. Sample Sync Request POST /Microsoft-Server-ActiveSync?User=krudd&DeviceId=IMEI351878010074274 &DeviceType=IMEI351878010074274&Cmd=Sync HTTP/1.1 Host: autodiscover.dept.gov.au Accept-Encoding: gzip, de?ate, x-gzip, identity; q=0.9 Accept-Language: en-us Authorization: Basic UE1ca3J1ZGQ6V2FsbGFiaWVzIQ== Expect: 100-continue User-Agent: NokiaE61i/2.09(158)MailforExchange Content-Type: application/vnd.ms-sync.wbxml MS-ASProtocolVersion: 12.1 X-MS-PolicyKey: 1799664318 Content-Length: 68 jEOK1643522697R5U50WX2EF1G3072[1 assurance
  • 13. Sample Sync Request POST /Microsoft-Server-ActiveSync?User=krudd&DeviceId=IMEI351878010074274 &DeviceType=IMEI351878010074274&Cmd=Sync HTTP/1.1 Host: autodiscover.dept.gov.au Accept-Encoding: gzip, de?ate, x-gzip, identity; q=0.9 Accept-Language: en-us Authorization: Basic UE1ca3J1ZGQ6V2FsbGFiaWVzIQ== Expect: 100-continue User-Agent: NokiaE61i/2.09(158)MailforExchange Content-Type: application/vnd.ms-sync.wbxml MS-ASProtocolVersion: 12.1 X-MS-PolicyKey: 1799664318 Content-Length: 68 jEOK1643522697R5U50WX2EF1G3072[1 assurance
  • 14. autodiscover.{domain}.com Approximately 30% of ¡°Top 500 domains¡±* had an autodiscover hostname in DNS *http://www.seomoz.org/top500 assurance
  • 17. MITM Attack ARP spoof? DNS poisoning? Fake WiFi Hotspot? Port re-direction? assurance
  • 18. MITM Fun Sniff Traf?c - Emails, Contacts, Notes, User credentials (AD domain) Client Request Replay - Generate your own requests and replay them to the server Server Response Replay - Generate your own responses and replay them to the client assurance
  • 20. Sample kill response HTTP/1.1 449 Retry after sending a PROVISION command Connection: Keep-Alive Date: Fri, 20 Nov 2009 22:29:31 GMT Content-Type: text/html Server: Microsoft-IIS/6.0 Cache-Control: private X-AspNet-Version: 2.0.50727 MS-Server-ActiveSync: 8.1 X-Powered-By: ASP.NET Content-Encoding: gzip Vary: Accept-Encoding Content-Length: 70 ? ¡­HUH.-.¡­?UH-*?/R??O)?IUH¡­O-V??/Q(JM?O??¡§JU(¡­?,?(¡°?¡®¡­n6 assurance
  • 21. Sample kill response HTTP/1.1 449 Retry after sending a PROVISION command Connection: Keep-Alive Date: Fri, 20 Nov 2009 22:29:31 GMT Content-Type: text/html Server: Microsoft-IIS/6.0 Cache-Control: private X-AspNet-Version: 2.0.50727 MS-Server-ActiveSync: 8.1 X-Powered-By: ASP.NET Content-Encoding: gzip Vary: Accept-Encoding Content-Length: 70 ? ¡­HUH.-.¡­?UH-*?/R??O)?IUH¡­O-V??/Q(JM?O??¡§JU(¡­?,?(¡°?¡®¡­n6 assurance
  • 22. Sample kill response HTTP/1.1 449 Retry after sending a PROVISION command Connection: Keep-Alive Date: Fri, 20 Nov 2009 22:29:31 GMT Content-Type: text/html Server: Microsoft-IIS/6.0 Cache-Control: private X-AspNet-Version: 2.0.50727 MS-Server-ActiveSync: 8.1 X-Powered-By: ASP.NET Content-Encoding: gzip Vary: Accept-Encoding Content-Length: 70 ? ¡­HUH.-.¡­?UH-*?/R??O)?IUH¡­O-V??/Q(JM?O??¡§JU(¡­?,?(¡°?¡®¡­n6 assurance
  • 23. Symbian OS Nokia N95 Mail for Exchange v2.9.158 assurance
  • 24. Symbian OS Nokia N95 Mail for Exchange v2.9.158 assurance
  • 25. iPhone OS iPhone 3G iPhone OS v3.1.2 assurance
  • 26. iPhone OS iPhone 3G iPhone OS v3.1.2 assurance
  • 27. Windows Mobile 6.1 Dell AXIM X51v PDA Windows Mobile 6.1 assurance
  • 28. Windows Mobile 6.1 Dell AXIM X51v PDA Windows Mobile 6.1 assurance
  • 30. In an ideal world... - Valid SSL Certi?cate on server - Unique Client Certi?cate on each device - Device (and storage card) encryption - Access to restricted to private Cell Network Access Point Name (APN) - HTTP Digest authentication - Exchange ActiveSync domain segregation - User education assurance
  • 31. Application Improvement How about introducing session management as a default component of the application? assurance
  • 32. Where to from here? 3G MITM Attacks? assurance
  • 33. Danke - y011 - kiwicon cr¨¹e assurance
  • 34. Questions? oliver.greiter@assurance.com.au assurance

Editor's Notes

  • #2: How many of you have checked your email while sitting on the toilet? pause A report by Osterman Research focusing on mobile messaging in the North American Workplace found that 79% of respondence admitted to doing so. o 77% have done so while driving (when the car is moving) o 41% have done so on a commercial flight while in the air o 16% have done so during a funeral or memorial service o 11% have done so during a romantic moment pause I’m here to talk to you about the bad things that can happen while checking your email on the shitter.
  • #3: - austrian by nationality, don’t hold an australian passport - there’s no kangaroos in austria - risky biz movember team
  • #4: - it’s a basic web application - some organisations implement using the corporate owned devices and some organisations implement the solution using employee owned devices
  • #5: - The server is normally named autodiscover.domain.name - sync also via USB Cradle Sync - IIS accepts the connection and then passes it onto the exchange server - (HTTPS)
  • #6: - Basic Auth - Base64 easily decoded - Device ID - the administrative interface can be used to block or permit certain device IDs - All three platforms tested (WM, iPhone OS, Symbian OS) implemented the Microsoft API to different levels (device policy) - Nokia wipe interrupted - removed pin lock and emails were still in inbox Device policy consists of things such as: - enforcing a device password - min pass length - alphanumeric pass - max password age - pass history - account lockout threshold - idle session timeout
  • #7: - Just by sniffing traffic you can already start enumerating domain usernames from the URL. - Policy Key does not appear to change/increment (over a week it didn’t change) - list of commands: Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert #Binary Data
  • #8: - Just by sniffing traffic you can already start enumerating domain usernames from the URL. - Policy Key does not appear to change/increment (over a week it didn’t change) - list of commands: Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert #Binary Data
  • #9: - Just by sniffing traffic you can already start enumerating domain usernames from the URL. - Policy Key does not appear to change/increment (over a week it didn’t change) - list of commands: Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert #Binary Data
  • #10: - Just by sniffing traffic you can already start enumerating domain usernames from the URL. - Policy Key does not appear to change/increment (over a week it didn’t change) - list of commands: Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert #Binary Data
  • #11: - Just by sniffing traffic you can already start enumerating domain usernames from the URL. - Policy Key does not appear to change/increment (over a week it didn’t change) - list of commands: Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert #Binary Data
  • #12: - Just by sniffing traffic you can already start enumerating domain usernames from the URL. - Policy Key does not appear to change/increment (over a week it didn’t change) - list of commands: Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert #Binary Data
  • #13: - Just by sniffing traffic you can already start enumerating domain usernames from the URL. - Policy Key does not appear to change/increment (over a week it didn’t change) - list of commands: Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert #Binary Data
  • #14: - Just by sniffing traffic you can already start enumerating domain usernames from the URL. - Policy Key does not appear to change/increment (over a week it didn’t change) - list of commands: Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert #Binary Data
  • #15: - Just by sniffing traffic you can already start enumerating domain usernames from the URL. - Policy Key does not appear to change/increment (over a week it didn’t change) - list of commands: Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert #Binary Data
  • #16: - Just by sniffing traffic you can already start enumerating domain usernames from the URL. - Policy Key does not appear to change/increment (over a week it didn’t change) - list of commands: Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert #Binary Data
  • #17: - Just by sniffing traffic you can already start enumerating domain usernames from the URL. - Policy Key does not appear to change/increment (over a week it didn’t change) - list of commands: Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert #Binary Data
  • #18: - Just by sniffing traffic you can already start enumerating domain usernames from the URL. - Policy Key does not appear to change/increment (over a week it didn’t change) - list of commands: Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert #Binary Data
  • #19: - Just by sniffing traffic you can already start enumerating domain usernames from the URL. - Policy Key does not appear to change/increment (over a week it didn’t change) - list of commands: Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert #Binary Data
  • #20: - Just by sniffing traffic you can already start enumerating domain usernames from the URL. - Policy Key does not appear to change/increment (over a week it didn’t change) - list of commands: Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert #Binary Data
  • #21: - explain the setup process and “automatically obtain settings” from exchange server - Setting are sent to the device via a XML response from the server - queried public DNS AUSTRALIA: autodiscover.firevibe.com.au autodiscover.awm.gov.au autodiscover.brisbane.qld.gov.au autodiscover.childsafety.qld.gov.au autodiscover.bendigobank.com.au autodiscover.banks.com.au autodiscover.adelaidebank.com.au autodiscover.benbank.com.au autodiscover.msn.com autodiscover.three.com autodiscover.vodafone.com autodiscover.altmedia.net.au autodiscover.abc.net.au autodiscover.pblmedia.com.au autodiscover.yahoo.com.au NEW ZEALAND: autodiscover.savethekiwi.org.nz autodiscover.policy.net.nz autodiscover.powergenerators.net.nz autodiscover.newzealandnow.govt.nz autodiscover.nzalpa.org.nz autodiscover.caa.govt.nz autodiscover.otago.ac.nz autodiscover.auckland.ac.nz autodiscover.massey.ac.nz autodiscover.lincoln.ac.nz
  • #22: list of autodiscover domains
  • #23: list of autodiscover domains
  • #24: list of autodiscover domains
  • #25: list of autodiscover domains
  • #26: list of autodiscover domains
  • #27: list of autodiscover domains
  • #28: list of autodiscover domains
  • #29: list of autodiscover domains
  • #30: list of autodiscover domains
  • #31: list of autodiscover domains
  • #32: list of autodiscover domains
  • #33: list of autodiscover domains
  • #34: list of autodiscover domains
  • #35: list of autodiscover domains
  • #36: - Attack one endpoint or the other or the traffic in between - SSL has copped a battering this year (wildcard ssl cert, reneg flaw), this talk isn’t about that. The user still gets prompted about a dodgy SSL cert...in most cases. This talk is about the shitty implementation of security on the various clients. - port 443 is all we care about (maybe dns too!) - SSL cert - Moxie’s wildcard SSL cert (firefox 2 except the certs without warning, firefox 3 won’t prompt the user to accept the cert in default config) - proxy to pass, capture and replay traffic
  • #37: Sniff Traffic - Pass on the traffic, while logging it. Use the creds to gain access to any other applications that are AD integrated such as Outlook Web Access or the internal domain through some other path (pysical access, wireless, etc.) Request Replay - Send emails (SPAM), retrieve emails, retreive attachments, search for contacts (mirror address book) Response Replay - Kill Response replay - explain - (central management function to deal with lost or stolen devices)
  • #38: Overview of what is going to take place when executing kill command replay as we know the user can’t be relied upon to decide if a cert is valid or not, especially when very little information is provided like on mobile devices so how to each of the platform react when presented with a wildcard ssl cert?
  • #39: -in response to any request we reply with this...
  • #40: -in response to any request we reply with this...
  • #41: - can view cert details (cn name etc.) - default action is continue
  • #42: - can view cert details (cn name etc.) - default action is continue
  • #43: The user is only prompted once iPhone OS 2.1 doesn’t prompt when presented with invalid cert
  • #44: The user is only prompted once iPhone OS 2.1 doesn’t prompt when presented with invalid cert
  • #45: 0x80072F17 = Unsupported Digital Certificate installed. If you installed a digital certificate that supports wildcards from a certifying digital certificate provider, this certificate will install however using the certificate is not supported. - in reality this just means that the device won’t accept the dodgy cert. - user isn’t given the option to accept the cert
  • #46: 0x80072F17 = Unsupported Digital Certificate installed. If you installed a digital certificate that supports wildcards from a certifying digital certificate provider, this certificate will install however using the certificate is not supported. - in reality this just means that the device won’t accept the dodgy cert. - user isn’t given the option to accept the cert
  • #47: - the device is nuked - reset to factory state (everything is gone!!!) - your high scores on your driving game (gone!)
  • #48: - ensure devices are secure adequately (jailbroken iphones, first person to exploit this was a dutch hacker charging 5 euros to fix it) - only windows mobile supports enforced encryption - so instead of vodafone.net.nz your APN would be some company name for example Device policy at a minimum: - Enforce device password is set to TRUE - Minimum password length is 7 characters - Alphanumeric passwords is enforced - Maximum password age is set to 90 days - Password history is set to 12 remembered - Account lockout threshold is set to 3 - Idle session timeout is set to 20 minutes
  • #49: Pretty standard for web applications This way the user’s credentials don’t need to be sent to the server with each request.
  • #50: 3G Micro Cells have recently become available to AT&T customers in the U.S. They cost US$149. How long before these are hacked and used to perform 3G MITM attacks? Kiwicon 2010 anyone? Are we going to have people sitting in airport lounges with micro cells, MITM 3G connections, exploiting SSL and sitting between cell phone users and their internet banking?