← All talks

Brute-Forcing Mighty Dark Castles

BSides Cairo · 202029:33587 viewsPublished 2021-10Watch on YouTube ↗
Speakers
Nidal Fikri
Tags
CategoryTechnical
StyleTalk
Show transcript [en]

Hello everyone, I am the first one to go to the meeting and I would like to thank the team of SAIZ for the invitation. 80% of the participants last year were students. I am the voice of the students. The token is a public token, but the price is a little high. This is a new approach to reverse engineering, but we will continue with the other approaches. I will try to give you a general overview, but I will try to explain what I learned from the course. It's a very useful tool, so I trust people to use it. First of all, I want to talk about myself. My name is Ghaatwee, I'm a graduate student at the University of Karabakh. I'm interested

in the future of systems and IoT. I'm a Twitter follower. I'm working in IT. I work in security. I'm a security manager. In 2016, I became a CISI graduate and I want to be a CISI+ classmate. I know this much. If someone is interested in gaming, I will help him. I have a friend in the same school as me. He is a student in Egypt. He is a student in Dallas. He is a student in the same school as me. Another thing I'm proud of is the community in the Masoura. In the past, there was no community in the Masoura. I was the leader of the community. This year, even the old ones, they are still in Masoura. There

are a lot of people. Hopefully, in the future, we will be able to be more active. The most thing I'm proud of is the fact that we have a lot of people. We were working on an enterprise-based solution based on the paper analysis. Of course, there was nothing big, but we accepted the contest and received a prize and a fund. But of course, the MVP and the business plan was not seen in the end, and it ended after six months of being a good thing. If anyone wants to talk about the virus and this kind of thing, they can share it with us. Ok, I will talk about this I will give you a simple introduction of reverse engineering as a warm up I will take the solution

People know to apply these things But when you come to the site and go home You say I don't want to learn reverse engineering But we won't take it as a book of books, for example, you can't explain it with a simple word For example, we can't explain it in binary, in a specific way, and not in English, and in English, and in English, and in English, and in English, and in English, and in English, and in English, and in English, and in English, and in English, and in English, and in English, and in English, and in English, and in English, and in English, and in English, and in English, and in English, and in

English, and in English, and in English, and in English, and in English, and in English, and in English, and in English, and in English, and in English, and in English, and in English, and in English, and in English, and in English, and in English, and in English, and in English, and in English, and in English, and in English, and in English, and in English, and in English, and in English, and in English, and in English, and in English, and in English, and in English, and in English, and in English, and in English, and in English, and in English, and in English, and in English, and in English, and in English, and in English, and in

English, and in English, and in English, and in English, and English, and English, and English, and English, and English, and English, and English, and English, and English, and English, and English, and English, and English, and English, and English, and English, and English, and English, and English, and English, and English, and English, and English, and English, and English, and English, and English, and English, and English, and English, and English, and English, and English, and English, and English, and English, and English, and English, and English, and English, and English, and English, and English, and English, and English, and English, and English, and English, and English, We know why the approach is different in the film than in

the other films. I don't know why. I don't know. I don't know. I don't know. I don't know. I don't know. I don't know. I don't know. I don't know. I don't know. I don't know. I don't know. I don't know. I don't know. I don't know. I don't know. I don't know. I don't know. I don't know. I don't know. I don't know. I don't know. I don't know. I don't know. I don't know. I don't know. I don't know. I don't know. I don't know. I don't know. I don't know. I don't know. I don't know. I don't know. I don't know. I don't know. I don't know. I don't know. I don't

know. I don't know. I don't know. I don't know. I don't know. I don't know. I don't know. I don't know. I don't know. I don't know. I don't know. I don't know. I don't know. I don't know. I don't know. I don't know. I don't know. I don't know. I don't know. I don't know. I don't know. I don't know. I don't know. I don't know. I don't know. I don't know. I don't know. I don't know. I don't know. I don't know. I don't know. I don't know. I don't know. I don't know. I don't know. I don't know. I don't know. I don't know. I don't know. I don't know. I don't

know. I don't know. I don't know. I don't know. I don't know. I don't know. I don't know. I don It's a waste of time, what are we trying to do? Programmers always intend to do something But what happens when they don't want to? The computer literally applies what is written in front of the computer So programmers must know what they intend to do, and how to talk about what they want to talk about Another thing that can be applied in the program is the function of the function and the function of the function. The function of the function is more vulnerable. It increases its value and the value of the function increases. In my case, I have a simple

formula that I will explain to you in a minute But it has two factors that I will explain to you And I know how to use it to make an authorized access Let's explain now a simple formula I will explain it to you in a minute, I will explain it to you in a minute I will explain it to you in a minute, I will explain it to you in a minute I will explain it to you in a minute, I will explain it to you in a minute I will explain it to you in a minute, I will explain it to you in a minute I will explain it to you in a minute,

I will explain it to you in a minute I will explain it to you in a minute, I will explain it to you in a minute I will explain it to you in a minute, I will explain it to you in a minute I will explain it to you in a minute, I will explain it to you in a minute, I will explain it to you in a minute I will explain it to you in a minute, I will explain it to you in a minute, I will explain it to you in a minute, I will explain it to you in a minute, I will explain it to you in a minute, I will explain

it to you in a minute, I will explain it to you in a minute, I will explain it to you in a minute, I will explain it to you in a minute, I will explain it to you in a minute, I will explain it to you in a minute, I will explain it to you in a minute, I will explain it to you in a minute, I will explain it to you in a minute, I will explain it to you in a minute, I will explain it to you in a minute, I will explain it to you in a minute, I will explain it to you in a minute, I will explain it to you

in a minute, I will explain it to you in a minute, I will explain it to you in a minute, I will explain it to you in a minute, I will explain it to you in a minute, I will explain it If you want to know the speed of the process, you need to know the number of units and the number of devices. There are two types of units, one for each device and the other for each device. The most important thing is the stack. The stack is used to check the actual work of the specific type of device. You know the flow from one device to another. Even the stack itself is a program,

there are parameters like the buzzer, the variable, the variable and the return address So that it knows where the function is, so the stack is also a certain organization so that it can organize it So what does this buffer flow mean? This buffer flow happens when I don't check the size So the memory or the input of the buffer will go over the root as it was before So the overwrite will be the next memory This example can mean what? But first, this is an example of a simple memory, for example, the buffer is 8 bytes If I put 10 bytes in it, 2 bytes in the memory will be overwrite Let's explain the C code first Why I chose C code? Because C is

a programmer responsible for all the integrity If we leave the compiler or any other thing that makes all the integrity checks in the highest binary And one thing that makes the level control of the programmer So C is a programmer that knows what is the problem But this is a way of printing things So the code is simple There is a normal buffer There is a variable integer I took the integer in the value of m The integer is not a number And if this integer is a multiple, then I will take it So if I took m in a simple way I will specify it in the menu For example, I will specify 16.8 I will

specify it in the menu For example, the variable is still in the first part No one touched it yet And still like me, it is not admin If admin is still admin, it is not admin But if I set the value of the variable, what will happen? What will happen? If the overwrite of this variable is the overwrite of the value of the variable If I put something like this, I will find the value of the variable as the hexadecimal notation of the known value So imagine if I check if admin rb-0 variable, I will choose true and it will be admin But this is simple, but it can be done in a simple way

We have two functions here, one is function, to explain the term that we are going to use. If we want to learn a place in B or T, this is possible because we have a function in B. The function in A is called function B, so the execution takes the name of this place to return to this place. So here the function takes another and the other takes another So if I take two of these two to the same server I will see them in the same room And the second place that I entered is the return address of the server So the function took the input and returned to the server, no problem So if I entered this as an input So,

we have an open write return address of the stack So, when the CPU returns to the server and it knows that there is a certain value and then it will go to the opposite side of the return address So, it is something x1, x2, x3, and it doesn't know what is this, it doesn't know that there is a place in the program where it is not present and it needs a segmentation So, yes, there is a need for a crash, but the hacker can do something difficult with it. For example, he can override this thing, override the intent data, and he wants to stop it. For example, if I want to add a return address to my writebook, I

will add a certain place to the return address and the return address will be the same as the return address I am not a coding expert, but I have done the case that was in the mission form I prepared the code for execution and purchase and I have written the return address for it and I have calculated the number of slides and so on If you want to know more, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check

this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check

this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, check this, I put the return address on the first full key of this command So I opened the command and I know how to execute commands on the node It's a simple thing, we just need to push the command to the x7 and

then the command will take the command The topic is not a question, I am not saying that you should go to the open rate, there are reviews and other things that are not easy to understand. There is a certain input that will solve these problems, but the topic is not the topic, the one that is most important is the one that is most important. On the contrary, there is another topic that I have a very strong opinion about. Finally, I will see the black box and see what happens to it And I want to see the input that will lead to all the projects There is a way we can do it, we can call the company to do teaming But we will not understand

it and we will know what they are doing We will talk to them and tell them that we want to do a security assessment on your case But you will do it in black box So what is the difference between them? Some people will see the theory that there are many inputs You will never know. What does this theory say? It says that you went to the ERC and put a computer and wrote a statement that at a certain time the factory will be able to do 3D printing. If you leave the error, it will come to you at a certain time and will type the input that will bring you the problem or the crash that we have created in the executor because of this So

we can do this We can actually use the brute force to reduce the problem of buffer flow and batching But the brute force is inclement, it is not efficient, it is not a problem for us For example, if someone knows about the most famous brokers in the Maze This is their complex, or the first in which is the curation, the EFS, and the other things So the complex is like this, something different Let's see the example of the Maze, for example, I have a Maze, 100/100 I will calculate the compressive value 4/2 is the number of compressions The computer will give me 10/7 compressions per second If I calculate the number of compressions, I will divide the number of compressions by the number of compressions

in the volume I will divide the number of compressions by the number of compressions in the volume So, the brute forcing is not efficient in the current state We need to find a better way to find the best brute forcing to find the input or the payload that we like So, we can use the coverage purpose, if we want to get a path with any code If we want to cover it, we can do it and we will know that the input will give us the location fault or the graph will be smaller because it is not in the location We will use something called Fuzzle Fuzzle is a process that we have to test many cases to run the application Then I will monitor it to see

if it will crash or not If it crashes, what will happen? There are crashes that I can use after I see the crash and I can get back my money Or at least I can use the crash as a service I can send my money to this application and I can use it I can send my money to any service and I can get back my money easily What are the test cases? What are the advantages of test cases? For example, a web server will simulate network traffic and see the traffic and the specific input that will be used in the web server. It can also run command line arguments, environment variables, files, or any other thing. For example, if someone is working on

IoT or ecosystem testing, he will get the first batch and run it on the components and know what is happening. But the idea of what is the difference between fuzzing and brute forcing is that fuzzing, the test cases are random I don't need brute force for all of this I will get random test cases and try them little by little I will show you how the test cases are, there are two types of test cases, one is the turn fuzzing and the other is the tension fuzzing Turn fuzzing is when I get a number A file takes my application and flips the bytes I will see if I get a crash or not I will flip a lot of files and get a

lot of test cases Like a phasing tool that is fast and doesn't require high high-files to work for minutes But a phasing tool like Intelligent Phasing that I built from scratch that needs to be with me in source mode or documentation or the PCP to know how to build a good fuzzer that can bring me effective outputs out of it After we do the test basis, the second step is to monitor my application to see if there is a crash, how it happened, and how I will use this crash to do a buffer or not So, it is clear that the final written in C will take the output of the monitoring and the monitoring will be different from something written in Dota, or an application

written in Perl, for example. But the monitoring methods are not the same at all. I will ask for something called valid case misinterpretation. For example, I will ask for a server and I will ask for a CD. I will see if it is good or not. If it is good, I will not ask for anything else. If I don't want to see the crash, I will check the other problems first. I will monitor the system. I will monitor the system only. I will monitor the application itself. I will touch the process to see what is happening. If there is a crash, I will check what happened in the previous one. As for system monitoring, we can choose a specific system to see what the system

is doing, and how it is working. We can see everything. So, we can simply say that we are getting test cases, and the test cases are going to be remediated during the crash. What happened during the crash? How can we use this crash to make a difference? So, of course, the company is still running But the idea is that the real life will not always be the same I mean, for example, when I open any application I will find that the password is wrong and the password is wrong too If you go to the interface, it will be like this The map is like this Of course, if something else is wrong, it will be like this Or if you have

a Gbom, for example If you have a Gbom with a specific trigger You will do the same thing for the magic script, you will do the same thing for the library. It is very difficult. Let's say you are in something special, like a proficiency. Do you know what a proficiency is? It is a program that takes the file and tries to construct it with the add, the sub, and the branches. The program will tell you how to do it. It's not that easy as you think But the idea is how you will revise it Or how you will solve something like this And it's very difficult So let's just go outside of the "fuzz_addition" function Because this "addition" is very simple It takes the input of the user

And if the input is greater than 10 He will go in and see what he can do and he will win or he will not win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win,

he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win,

he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, he will win, So, the probability of me getting a discounted number is not that simple. I don't

know what you think of this simple thing, but it is considered as an evaluation of the current stock. I will tell you about the possibility of a fallout. If someone wants to buy a probability and make a trade in the coin, the probability is 50%. If someone wants to buy a coin, If you want to find a number, then you multiply it, this number is the possibility of a fuzzing, so the fuzzing is not efficient in this case Let's start. We will talk about AI in another way. This is the problem with AI. We will use something called Anchor. Angular is a good framework, it has no bad things, I won't discuss everything at the moment but I will continue to discuss

what we need and what the support of the institution refers to in our task that we need to get the input that will make the flash to work I can't show you the documentation of the application But we have the computer, the graph, the data, the graph, the analysis and the analysis So we can say that it is a symbolic execution The first thing we know about symbolic execution is that it differs from the execution itself Symbolic execution is an emulator, not an execution as you saw in the video The application uses symbolic values, not concrete values For example, if the execution is a little bit long, it will be a little bit long If it is bigger than 10, it will execute the branch from the other side

If it is smaller than 10, it will go to the branch from the other side But all this execution, including the execution of the input, the don't branching, will compute the branching And if there is more than one branch, it will compute the other branching It doesn't take the full of everything It is not like the distribution of the speed of the code, it is all the same. So, when you import the code from the symbolic engine, it will tell you that the code will be like this, it is the first one, the second one, the third one, the fourth one, the tenth one, the fourth one, the fifth one, and all these are on

the simulation. How did this happen? Someone who studied math or EFS, he has no idea of the whole process He goes through all the branches first, then he takes the first and the second, then he takes the first and the second, and now he is a student of the same language, so he doesn't have to take the first and the second, or the second and the third, and then he takes the next and the next and the next, and finally he says he wants the input or the path that gives him the input, the condition for it So he says, "I want all these paths" Let's see how it works, let's move it a little

bit, let's see if we can see it The first step is to create a specific script to use in the next step If you open the main function in Vitor, you will find that it has the same function as the first one It takes the array weight and the input less than 200 meters, less than a meter, and then it goes up to 14 meters. So there is a way to reach the plane. The first way is to go one by one on each structure of the plane. This is the way. But it is not the same. There is another way to use it, which is using the single execution method We use angle to make it work, we want to use one thing First,

we need to know the input, what do we want to use it for? What do we want to use it for? The input that I have here, it is a value of 14 bytes, and I will check it here The second thing I will do is to take the brandf.victory title and put it in the middle of the text The third thing that I want to tell you is that there is something you should avoid for this title What is it? It is the structure of the denied access If you want to go for printf to avoid denied access I saw the title of printf and I wrote the description of it I just saw the library as I wanted it

I took the instance from the project I set the input to 0.6 and it is 16 bytes long and 14 bytes long Here I set the vector to 100 which represents the integer and the value of the integer is 0.2 I checked my manager and asked him to find the brand as victory and avoid the demand as victory and I showed him my parsed link In exactly 7 seconds, I got the flag 7 seconds Imagine if someone is doing the first 14 functions in one session That's it, the topic is over, it's over Another thing is Something complicated like that I want to reach a certain input to the infrigerable push button The input that enters the buzzer will be in the

same angle as the executioner I usually don't tell people to understand and to get excited about the topic because I don't know if it's appropriate to use it in the future for example, in the use of a wood server and use it in the angle of people getting excited This is the goal of the project, which is to set the reverse AGM and so on. We want to say that people who are having difficulty in reverse, if they are doing a competition, they are still not good enough. So, we want to make a team of 10 people to do a single exercise, and they will be able to do it. People are interested in everything but they want to learn the basics of Rebracing. Rebracing is not difficult.

I hope that the more professional that I have met will encourage people to go and say that they want to learn Rebracing. Rebracing is not difficult, Rebracing is just a little bit difficult. In a simple way, I would like to teach you There are all the famous ones, I don't need to say a lot of words, I mean, anyone who looks at the book, he will see it, it's not a big deal. The second thing is that you can remember, for example, if you don't know the books, you can remember the book of Solon, the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of

the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of

the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of

the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of the book of Also, you can find many things on Twitter that are not like me, or you can search for

"Cabium" Someone is spoofing on "Discretion Food Controller" There are many things, but on Twitter, it's not on the same level And the most important thing is that you start with the topic of the day Something like spoofing, I did it, I will make it more interesting Like I will write my script, I will make it more interesting So, our knowledge is good, but we still have to improve it. Our field needs to be more focused. I will show you something, but I don't want to talk about anything. There are many people who say that the reasoning theory is not difficult. I was one of them, I was 37 years old, I was 19 years old,

I don't know what I was doing. I started playing HTML and I started playing this game. I didn't expect that he would be able to do it. I was able to do it. I didn't ask for anything. I asked people to do it better than me. You can't ask God for anything. If you need anything, you can call me. We have a community of people who are all beginners. We have one beginner. You can call him anything. That's all I want to say.

Related talks

44:27
Techniques of the Social Engineering Pirate Queen
BSides Cairo · 2019
40:38
BSides Cairo 2019: Selected Short Stories on Supply Chain Attacks - Grace Nolan
BSides Cairo
37:38
BSides Cairo 2019: Mitigating New Entry Points To The Jewels - Denis Makrushin
BSides Cairo
43:01
BSides Cairo 2019: Insight Into TTPs Of A Middle Eastern Threat Actor - J. Horejsi and D. Lunghi
BSides Cairo
43:03
Using Deception Tools To Protect Your Enterprise
BSides Cairo · 2020
38:21
Ransomware and Egypt
BSides Cairo 2020