Title: Performing a MITM attack on the .NETGuard desktop application Authors: Washi, 766F6964 Originally released on: https://www.rtn-team.cc/board Abstract: Code obfuscation is a method of preventing third parties from reverse engineering the inner workings of software. One cloud-based service that provides this kind of protection for .NET applications is .NETGuard. .NETGuard distributes a desktop application that interacts with .NETGuard’s API. In this paper, we show that the protocol used by the desktop application has several security flaws. The most serious flaws include the possibility of leaking account credentials and/or the original binary being restored from the generated network traffic. Additionally, the protocol performs no verification on the network traffic, which allows a Man In the Middle (MITM) attack to modify packets and send malicious content back to the client. Disclaimer: The intent of this article is not to determine or conclude whether .NETGuard is a good or a bad obfuscator, nor as a means of attacking the developer personally. Rather, the content of this paper focuses on critical security issues found within the .NETGuard desktop client, and the communication between the desktop client and the .NETGuard servers. The main purpose of this paper is to raise awareness about the security concerns identified and inform .NETGuard's users that their data may be at risk. We have communicated these security issues to the .NETGuard team, but they have fallen on deaf ears. Other than changing the plain-text passwords to a double MD5 hash, no further action was taken. A month in, the vulnerabilities are still un-patched, so we took it upon ourselves to communicate our findings to the community. Now it is for the public to decide whether or not to continue using this software. Video Showcase: (The video is also referenced in the paper) [video=youtube]
Sourcecode: The sourcecode of the attacking script can be found here. FAQ
Q: I am a .NETGuard user, are my credentials and/or code leaked? A: If you are using the desktop client (not the browser), chances are someone might have sniffed your details and/or code, especially if you have been using (public) WiFi. To be safe, make sure your password is not shared with any other online service or you might risk becoming a victim of identity theft. Unfortunately, there is little we can do about the theft of your code.
Q: Can I use this script to capture and modify traffic from anyone using .NETGuard? A: This script is a PoC only, and only works if you are able to reroute the traffic through your own machine. However, this can be achieved using various methods such as arpspoofing or configuring your router properly.
Q: How do I obtain the password after sniffing the hash code? A: There are many publicly available tools to crack the hash within reasonable time. These tools include John the Ripper and HashCat. Make sure that it is configured to crack a double MD5 hashcode, i.e.
hash = MD5(MD5(password))
Q: Can I capture any (un)obfuscated file being transferred from and to the .NETGuard server with this script? A: Yes, the script is generic enough to be able to capture any binary file being sent or received, so long the traffic goes through the machine running the script.
Q: Can I modify any (un)obfuscated file being transferred from and to the .NETGuard server with this script? A: Currently, the framework allows it. However, the `main.py` script is set up to only modify the sample application provided in the repository. A few modifications are therefore required to make it work for other binaries.
Q: After I ran the script I don't have internet anymore. What do I do? A: The script adds additional firewall rules of your system. Normally the script removes them upon shutdown, but if the script was somehow interrupted before this happened, you might need to manually remove them. You can check for the additional rules by running the following command as root:
shiptables -LTo remove the entries, you can use the -D flag instead. E.g. to remove the first rule of the INPUT chain and the first of the OUTPUT chain, use:
shiptables -D INPUT 1
iptables -D OUTPUT 1After that, the connection to the internet should be restored.
Download: https://www81.zippyshare.com/v/7RNCs56x/file.html Credits: Thanks again to CodeBlue for proofreading the paper.