How I hacked into an encrypted service

It all started with an email...

WHAAAT?

Let me double check...

 

OK then.

But what was that?

Let's make this thing work...

OK, it is running.

Now what?

First...

Small recap

OK, it is encrypted.

How do I decrypt it?

RSA?

  • Private/Public key mechanism
  • Cannot encrypt large amount of data
  • 2048 bits key = max 245 bytes encoded

What about the second message?

  • Base64 encoded
  • Not RSA encrypted (too large)

Wait...

Am I stuck?

A clue?

Let's dig into the client!

OK, I have the code.

How does it work?

The message is self descriptive

 

01

Size of the key (00 01 00 00 = 256)

256 bytes = the key

Size of the IV (20 00 00 00 = 32)

32 bytes = the IV

The encrypted login request

 

 

The encryption protocol

 

Go MITM!

Ok, I know how to make requests.

Where are we?

Intercept data

Understand the security protocol

Decrypt the exchange

Forge requests

Use the source, Luke

We had a raw request

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing">
	<s:Header>
		<a:Action s:mustUnderstand="1">http://www.silae.fr/IIWCF/AppelComResponse</a:Action>
		<a:RelatesTo>urn:uuid:f9bcb8a5-24cb-4963-9621-43632d01fa49</a:RelatesTo>
	</s:Header>
	<s:Body>
		<AppelComResponse xmlns="http://www.silae.fr/">
			<AppelComResult xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
				<b:KeyValueOfanyTypeanyType>
					<b:Key i:type="c:int" xmlns:c="http://www.w3.org/2001/XMLSchema">1</b:Key>
					<b:Value i:type="c:base64Binary" xmlns:c="http://www.w3.org/2001/XMLSchema">
AKzR15lw+4zEApy/4BoiSOBSJ1mIUJBNSpgYu99SDPM80mfxa9pldkka91NqQfz8
/1jMQfeQVes3Edbb82c5CpHD7zEDhe8ZtUQjOFgbHdG599Hr6inSOOaaYOzEeb9q
Q3isSXkPBY9Pxo1IQOMsEY4spiRhSsOmfk2eFdlSIo/ENjWubVNSfG63oLGCL9nY
lsUvpA/xexKLORUGgPSanFlQ5z5uTdklbgWQUp4vJyZqQWv8NXVbREC7Lco8a2Bj
9D6AnEI3Ww4jM2LGR4Yz7Xm7YCCuW+7G7Q7bBNZ3TMt3A01xb/+8dUPrkie5a76V
9se30iwwD4X/yN7ngVkZgIpUpijrSy7xxMAB0/WY+IaOM+bv5d66SST7MJ3ozjVe
W7WFMT0OP7SEDq5EGbhDo5Kuj+b7T3iuSVCwxCwnxC0SFZg4/k5rPU9rrFgoined
0a2ShX8gZEBDQlefV7xIwkfldvEIVYTRgPqk4ff37caWY/k/PEzQJOMp/FpXYE1N
9RxcYSeE371VVwyIGNljjCDVt7adHIdHvV7e5IFYmyF0/vH9zkGC3VR/jF3g6iOC
K/gkzNBlWtrrc76M1W3HPIv0MoytH0uJDENYZimHfXxn8mjSUEEjc3jOMutnwpbo
E3yCUdXWhy60k995DHI3QYEJoBZ0BZphRqG3eJnv+1KPoaprcTLp2j3IyvoO5qPl
loDTHaeaIrZiQ4QVLHzq6kE5U0GOLnjuaS01G+GNwpaj0Le3LsFFIttzRcbAJwee
rersFhfr82+XQymhYef8/UhC/CAiulYP/1j2fPPKTNcxuKvAYPvoMG3yT0IQStuO
mBLjXth1RmaWMe9xanSvan+GL85y08CA/MIUHWLNzOF2LjSE5Im130YrwtkWHjGL
eM668B1iuk3/w7h+EUSuDwf+dc1GduyDhC2Kijx2DNBxg4UHKkGjGtKUU+DVKsAr
nMoNztidcEyxNBLrewX0XQhBa0egeSzCiZIEsItoInB+Dn5fBgc/W1hFf2M5iPir1g==</b:Value>
				</b:KeyValueOfanyTypeanyType>
				<b:KeyValueOfanyTypeanyType>
					<b:Key i:type="c:int" xmlns:c="http://www.w3.org/2001/XMLSchema">0</b:Key>
					<b:Value i:type="c:int" xmlns:c="http://www.w3.org/2001/XMLSchema">2</b:Value>
				</b:KeyValueOfanyTypeanyType>
			</AppelComResult>
		</AppelComResponse>
	</s:Body>
</s:Envelope>

We decrypted it

00000000  0b 00 08 24 4d 45 54 48  4f 44 45 0c 14 41 63 71  |...$METHODE..Acq|
00000010  75 69 73 69 74 69 6f 6e  42 75 6c 6c 65 74 69 6e  |uisitionBulletin|
00000020  73 02 50 34 05 00 00 00  00 04 24 41 50 50 0c 0f  |s.P4......$APP..|
00000030  53 69 6c 61 65 43 6c 69  65 6e 74 2e 65 78 65 02  |SilaeClient.exe.|
00000040  50 32 05 d1 95 01 00 04  24 44 4f 4d 0c 00 02 50  |P2......$DOM...P|
00000050  35 63 01 00 02 42 41 62  6b 00 00 00 04 00 1f 4f  |5c...BAbk......O|
00000060  70 74 69 6f 6e 5f 4c 69  73 74 65 52 65 63 75 72  |ption_ListeRecur|
00000070  73 69 76 65 53 75 70 65  72 76 69 73 65 73 02 01  |siveSupervises..|
00000080  1e 4f 6e 67 6c 65 74 4e  61 74 75 72 65 55 74 69  |.OngletNatureUti|
00000090  6c 69 73 61 74 65 75 72  53 61 6c 61 72 69 65 02  |lisateurSalarie.|
000000a0  01 08 49 44 5f 44 52 4f  49 54 05 d1 95 01 00 12  |..ID_DROIT......|
000000b0  49 44 5f 53 55 50 45 52  56 49 53 45 55 52 5f 53  |ID_SUPERVISEUR_S|
000000c0  56 4e 05 5e 00 00 00 02  54 35 0c 29 53 49 4c 41  |VN.^....T5.)SILA|
000000d0  45 2e 43 4d 5f 53 55 50  45 52 56 49 53 49 4f 4e  |E.CM_SUPERVISION|
000000e0  2b 43 53 75 70 65 72 76  69 73 69 6f 6e 43 6f 6e  |+CSupervisionCon|
000000f0  74 65 78 74 65 02 50 33  05 88 40 00 00 07 24 43  |texte.P3..@...$C|
00000100  4c 41 53 53 45 0c 0f 43  4d 5f 50 41 49 50 4f 52  |LASSE..CM_PAIPOR|
00000110  54 41 49 4c 43 50 04 24  55 53 52 0c 05 33 30 36  |TAILCP.$USR..306|
00000120  37 37 02 50 31 05 b4 04  00 00 16 16 16 16 16 16  |77.P1...........|
00000130  16 16 16 16 16 16 16 16  16 16 16 16 16 16 16 16  |................|
00000140

And deserialized it

{
      '$METHODE': { type: 12, value: 'AcquisitionBulletins' },
      P4: { type: 5, value: 0 },
      '$APP': { type: 12, value: 'SilaeClient.exe' },
      P2: { type: 5, value: idDroit },
      '$DOM': { type: 12, value: '' },
      P5:
        { type: 99,
          value:
           { BA:
              { type: 0x62,
                value: cSupervisionContexte } }},
       T5: { type: 12, value: 'SILAE.CM_SUPERVISION+CSupervisionContexte' },
       P3: { type: 5, value: idPaiSalarie },
       '$CLASSE': { type: 12, value: 'CM_PAIPORTAILCP' },
       '$USR': { type: 12, value: $usr },
       P1: { type: 5, value: idClient }
  }

And finally, the client

How I hacked into an encrypted service

By Kevin Raynel

How I hacked into an encrypted service

  • 465
Loading comments...

More from Kevin Raynel