DotNet First Side

Why/What Blockchain Exploitation?

In this blog series we will analyze blockchain vulnerabilities and exploit them ourselves in various lab and development environments. If you would like to stay up to date on new posts follow and subscribe to the following:
Twitter: @ficti0n

Youtube: https://www.youtube.com/c/ConsoleCowboys
URL: http://cclabs.io
http://consolecowboys.com

As of late I have been un-naturally obsessed with blockchains and crypto currency. With that obsession comes the normal curiosity of "How do I hack this and steal all the monies?"

However, as usual I could not find any actual walk thorough or solid examples of actually exploiting real code live. Just theory and half way explained examples.

That question with labs is exactly what we are going to cover in this series, starting with the topic title above of Re-Entrancy attacks which allow an attacker to siphon out all of the money held within a smart contract, far beyond that of their own contribution to the contract.

This will be a lab based series and I will show you how to use demo the code within various test environments and local environments in order to perform and re-create each attacks for yourself.

Note: As usual this is live ongoing research and info will be released as it is coded and exploited.

If you are bored of reading already and just want to watch videos for this info or are only here for the demos and labs check out the first set of videos in the series at the link below and skip to the relevant parts for you, otherwise lets get into it:

Background Info:

This is a bit of a harder topic to write about considering most of my audience are hackers not Ethereum developers or blockchain architects. So you may not know what a smart contract is nor how it is situated within the blockchain development model. So I am going to cover a little bit of context to help with understanding. I will cover the bare minimum needed as an attacker.

A Standard Application Model:

In client server we generally have the following:
Front End - what the user sees (HTML Etc)
Server Side - code that handles business logic
Back End - Your database for example MySQL

A Decentralized Application Model:

Now with a Decentralized applications (DAPP) on the blockchain you have similar front end server side technology however

Smart contracts are your access into the blockchain.
Your smart contract is kind of like an API
Essentially DAPPs are Ethereum enabled applications using smart contracts as an API to the blockchain data ledger
DAPPs can be banking applications, wallets, video games etc.

A blockchain is a trust-less peer to peer decentralized database or ledger

The back-end is distributed across thousands of nodes in its entirety on each node. Meaning every single node has a Full "database" of information called a ledger. The second difference is that this ledger is immutable, meaning once data goes in, data cannot be changed. This will come into play later in this discussion about smart contracts.

Consensus:

The blockchain of these decentralized ledgers is synchronized by a consensus mechanism you may be familiar with called "mining" or more accurately, proof of work or optionally Proof of stake.

Proof of stake is simply staking large sums of coins which are at risk of loss if one were to perform a malicious action while helping to perform consensus of data.

Much like proof of stake, proof of work(mining) validates hashing calculations to come to a consensus but instead of loss of coins there is a loss of energy, which costs money, without reward if malicious actions were to take place.

Each block contains transactions from the transaction pool combined with a nonce that meets the difficulty requirements. Once a block is found and accepted it places them on the blockchain in which more then half of the network must reach a consensus on.

The point is that no central authority controls the nodes or can shut them down. Instead there is consensus from all nodes using either proof of work or proof of stake. They are spread across the whole world leaving a single centralized jurisdiction as an impossibility.

Things to Note:

First Note: Immutability

So, the thing to note is that our smart contracts are located on the blockchain
And the blockchain is immutable
This means an Agile development model is not going to work once a contract is deployed.
This means that updates to contracts is next to impossible
All you can really do is create a kill-switch or fail safe functions to disable and execute some actions if something goes wrong before going permanently dormant.
If you don't include a kill switch the contract is open and available and you can't remove it

Second Note: Code Is Open Source

Smart Contracts are generally open source
Which means people like ourselves are manually bug hunting smart contracts and running static analysis tools against smart contract code looking for bugs.

When issues are found the only course of action is:

Kill the current contract which stays on the blockchain
Then deploy a whole new version.
If there is no killSwitch the contract will be available forever.

Now I know what you're thinking, these things are ripe for exploitation.

And you would be correct based on the 3rd note

Third Note: Security in the development process is lacking

Many contracts and projects do not even think about and SDLC.
They rarely add penetration testing and vulnerability testing in the development stages if at all
At best there is a bug bounty before the release of their main-nets
Which usually get hacked to hell and delayed because of it.
Things are getting better but they are still behind the curve, as the technology is new and blockchain mostly developers and marketers. Not hackers or security testers.

Forth Note: Potential Data Exposure via Future Broken Crypto

If sensitive data is placed on the blockchain it is there forever
Which means that if a cryptographic algorithm is broken anything which is encrypted with that algorithm is now accessible
We all know that algorithms are eventually broken!
So its always advisable to keep sensitive data hashed for integrity on the blockchain but not actually stored on the blockchain directly

Exploitation of Re-Entrancy Vulnerabilities:

With a bit of the background out of the way let's get into the first attack in this series.

Re-Entrancy attacks allow an attacker to create a re-cursive loop within a contract by having the contract call the target function rather than a single request from a user. Instead the request comes from the attackers contract which does not let the target contracts execution complete until the tasks intended by the attacker are complete. Usually this task will be draining the money out of the contract until all of the money for every user is in the attackers account.

Example Scenario:

Let's say that you are using a bank and you have deposited 100 dollars into your bank account. Now when you withdraw your money from your bank account the bank account first sends you 100 dollars before updating your account balance.

Well what if when you received your 100 dollars, it was sent to malicious code that called the withdraw function again not letting the initial target deduct your balance ?

With this scenario you could then request 100 dollars, then request 100 again and you now have 200 dollars sent to you from the bank. But 50% of that money is not yours. It's from the whole collection of money that the bank is tasked to maintain for its accounts.

Ok that's pretty cool, but what if that was in a re-cursive loop that did not BREAK until all accounts at the bank were empty?

That is Re-Entrancy in a nutshell. So let's look at some code.

Example Target Code:

function withdraw(uint withdrawAmount) public returns (uint) {

1. require(withdrawAmount <= balances[msg.sender]);

2. require(msg.sender.call.value(withdrawAmount)());

3. balances[msg.sender] -= withdrawAmount;

4. return balances[msg.sender];

}

Line 1: Checks that you are only withdrawing the amount you have in your account or sends back an error.

Line 2: Sends your requested amount to the address the requested that withdrawal.

Line 3: Deducts the amount you withdrew from your account from your total balance.

Line 4. Simply returns your current balance.

Ok this all seems logical.. however the issue is in Line 2 - Line 3. The balance is being sent back to you before the balance is deducted. So if you were to call this from a piece of code which just accepts anything which is sent to it, but then re-calls the withdraw function you have a problem as it never gets to Line 3 which deducts the balance from your total. This means that Line 1 will always have enough money to keep withdrawing.

Let's take a look at how we would do that:

Example Attacking Code:

function attack() public payable {

1. bankAddress.withdraw(amount);

}

2. function () public payable {

3. if (address(bankAddress).balance >= amount) {

4. bankAddress.withdraw(amount);

}

Line 1: This function is calling the banks withdraw function with an amount less than the total in your account

Line 2: This second function is something called a fallback function. This function is used to accept payments that come into the contract when no function is specified. You will notice this function does not have a name but is set to payable.

Line 3: This line is checking that the target accounts balance is greater than the amount being withdrawn.

Line 4: Then again calling the withdraw function to continue the loop which will in turn be sent back to the fallback function and repeat lines over and over until the target contracts balance is less than the amount being requested.

Review the diagram above which shows the code paths between the target and attacking code. During this whole process the first code example from the withdraw function is only ever getting to lines 1-2 until the bank is drained of money. It never actually deducts your requested amount until the end when the full contract balance is lower then your withdraw amount. At this point it's too late and there is no money left in the contract.

Setting up a Lab Environment and coding your Attack:

Hopefully that all made sense. If you watch the videos associated with this blog you will see it all in action. We will now analyze code of a simple smart contract banking application. We will interface with this contract via our own smart contract we code manually and turn into an exploit to take advantage of the vulnerability.

Download the target code from the following link:

https://github.com/cclabsInc/BlockChainExploitation

Then lets open up an online ethereum development platform at the following link where we will begin analyzing and exploiting smart contracts in real time in the video below:

https://remix.ethereum.org

Coding your Exploit and Interfacing with a Contract Programmatically:

The rest of this blog will continue in the video below where we will manually code an interface to a full smart contract and write an exploit to take advantage of a Re-Entrency Vulnerability:

Conclusion:

In this smart contract exploit writing intro we showed a vulnerability that allowed for re entry to a contract in a recursive loop. We then manually created an exploit to take advantage of the vulnerability. This is just the beginning, as this series progresses you will see other types of vulnerabilities and have the ability to code and exploit them yourself. On this journey through the decentralized world you will learn how to code and craft exploits in solidity using various development environments and test nets.

Related news

In the previous blog post, I have covered the different passwords you have to protect, the attackers and attack methods. Now let's look at how we want to solve the issue.

Password requirements

So far we have learned we have to use long, complex, true random passwords. In theory, this is easy.

Now, this is my password advice for 2014:

Password character classes

Use upper-lower-digit-special characters in general cases.

If you don't understand what I just write, choose from this:

qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM0123456789-=[];'\,./<>?:"|{}_+!@#$%^&* ()`~

If you are a CISO, and say: use 3 out of 4 character class, everyone will use Password12 or Welcome12 as their password (after the 12th enforced password change).

Password length

This is basically the only thing which changes whether the password is in the very high/high/medium/low level. Check the previous blog post for the details about very high/high/medium/low level.

Password length: Very high level class (including work-related/enterprise passwords)

15 character (or 20 if you are really paranoid). Making true random passwords longer than 20 characters usually does not make any sense, even in high security scenarios (e.g. military, spy agencies, etc.). 15 character in Windows environment is a right choice, as LM hash is incompatible with 15 character passwords, thus one (effective) attack won't work. Beware, there might be bugs with using 15 character passwords, with a low probability.

Password length: High-level class

12 character, upper-lower-special characters

Password length: Medium class

10 character, upper-lower-special characters, still TRUE random

Password length: Low-level class

9 character. Why less?

Pin codes

Always choose the longest provided, but a maximum of 8. Usually, more is pretty impractical.

Password randomness

True random, generated by a (local) computer. Avoid Debian. Avoid random generated by your brain. Do not use l33tsp33k. Do not append or prepend the current month, season or year to a word. Do not use Star Wars/Star Trek/(your favorite movie/series here) characters or terminology. In general, avoid any pattern like the above ones. The chances that a true random password generator generates SkyWalker12 is very-very low. And believe me, it is not that hard to crack those. Every algorithm that you would come up with; the bad guys have already thought of it. Use true random. Let the computer do it for you. See details later in this post.

Password history

Never-ever reuse passwords. NEVER!

Password change period

If it is not enforced otherwise, don't bother to change it twice in a year. But! Check if the password cracking speed made your current ones obsolete. If yes, change the obsolete passwords. Immediately change the password if you have been notified that the service you use has been compromised. Immediately change all of your recently used passwords if you suspect malware was running on your computer (do this on a known clean computer). Immediately change your password if you have used it on a computer you don't own, or there is a small chance malware is running on it. Change it if you really had to give your password to someone. Otherwise, goodbye regular password change. We will miss you...

If you are a CISO, and writing security policies, you should have to enforce the password change period based on: do you allow LM hashes? What is the password length requirement for users and administrators? What is the current hash cracking speed, and the forecast for the next 2 years? I think people would be happy to increase their passwords with 1-2 characters, if they are not forced to change it frequently (e.g. every month).
Now after I was sooo smart giving advises people still hate to implement, let's see the practical implementations. At least some people might like me, because I told them not to change the passwords regularly. Next time someone tells you to change all your important passwords regularly, put a lie detector on him, and check if he changes all of his passwords regularly. If he lies, feel free to use the wrench algorithm to crack his passwords. If he was not lying, call 911, to put a straitjacket on him. Only insane paranoid people do that in reality. Others are just too scared to say "what everyone recommended so far is bullshit". Comments are welcome ;) Other people might hate me for telling them using true random passwords. Don't panic, keep reading.

And don't forget to use 2 factor authentication. It might seem a bit of an overkill at the beginning, but after months, you won't notice using it.

(Bad and good) solutions

I will use the same password everywhere

This is a pretty bad idea. If one of the passwords are compromised, either the attackers can access your other sites, or you have to change all of your passwords. There are better ways to spend your life on earth than changing all of your passwords.

I will remember it

Good luck remembering 250 different, complex passwords. Don't forget to change them regularly! ;)

I will use the password recovery all the time

Not a very user-friendly solution. And because the security answer has to be as complicated as the password itself, the problem has not been solved.

I will write it down into my super-secret notebook and put it in my drawer

Although it might work in some cases, it won't work in others. I don't recommend it.

I will use an algorithm, like a base password, and add the websites first letters to the end of the password

Still better than using the same password everywhere, but believe me, if this is a targeted attack, it is not that hard to guess your password generation algorithm.

I will use the advice from XKCD, and use the password correcthorsebatterystaple

Still a lot better than simple passwords, but unfortunately, people are still bad at choosing random words with random order, so it is not the best solution. And again, you can't memorize 250 different passwords ... Even 10 is impossible. Only use this method in special corner cases (see details later), and use a passphrase generator!

I will use a password manager

This is the very first good idea. It solves the problem of remembering 250 different complex and random passwords. Some people might complain about using a password manager, here are those complaints. And my answers:

If someone gets access to this one password store, all is lost.

Answer: If someone accessed your password store, and the master password, you can be pretty damn sure that most of your passwords are already stolen. For extra paranoids, you can use multiple password stores, one for daily use, one for rare cases. Beware not to forget the password for the second one ;)

What if I don't have access to the password store when I need it?

Answer: In the age of cheap notebooks, tablets, and smartphones, in 99% of the cases you should not use that important password on any other device than yours. In the rare cases when you must, you can use either your smartphone to get the password, or use a browser extension like Password hasher to generate different passwords to different websites, with one password. For extra paranoids, you can have different master passwords for the different security levels. And don't forget to change the password after you are back at your own computer.

What if I forgot the one password to the password store?

Answer: If you use your password manager daily, it has the same odds to forget that one password as it is to forget every one of your passwords.

Password managers make phishing attacks easier.

Answer: Who started this nonsense? Good password managers decrease the risk of phishing.

Password managers have the same vulnerabilities as other websites or software.

Answer: Well, this is partially true. There are at least 3 types of password managers, from most secure to least: offline, browser built-in, online. Online password managers give better user experience, with a sacrifice in security. But if you choose one of the leading password managers, and you are a simple home user, the risks are negligible. If you try to store your work password in an online password store, you might violate your internal security policy. For paranoids, use offline password managers, and back them up regularly. If you choose an online password manager, at least use 2-factor authentication. And don't forget, your Chrome password can be easily synchronized to the cloud, shifting it to the online category.

In some cases, like Full Disc Encryption, OS login, smartphone login, or password manager login, the auto-type of password from the password manager is not available, thus choosing a true random password is a pain in the a$$.

Answer: True. Generate pronounceable passwords or passphrases in these corner cases, e.g. with the Linux tool apg you can generate pronounceable passwords. For easy and fast type, don't use capital letters (only lower-alpha - digit - special) in the original password, but increase the length of the password. Add 1 extra character because you don't use upper case letters, add 3 other because it is a pronounceable password, and you are good to go. For extra paranoids change one or two of the letters to uppercase where it is convenient.

apg -M SNL -m 15 is your friend.

If you want to check what I write here (always a good idea), test the entropy of a true random 10 character password with all character classes, and check it with 14 characters, without uppercase. I recommend KeePass for that. If you comment on this that "Keepass can not measure that it is a pronounceable password, thus the entropy is lower in reality", my answer is: "Check out the current passwords used by users, and current password advises, and tell me if this password is a lot better or not ..." . You have been warned.

For the high-level password class, I don't recommend anything your brain generated. There are also suitable offline passphrase generators. Use at least 5-6 words for passphrases.

Password managers are not user-friendly, it takes more time to log in.

Answer: If you set auto-type/auto-fill, and the password manager is opened once a day (and you lock your computer when you leave it), in this case, logging in takes less time than typing it! It is more convenient to use it, rather than typing the passwords every time.

I like to create new unique passwords every time I create a new account, and password managers take the fun away from it.

Answer: Said no one, ever! "38 percent of people think it sounds more appealing to tackle household chores – from folding the laundry to scrubbing toilets – than to try and come up with another new user name or password."

To summarize things. Use a password manager.

General advise

Never use your essential passwords on other computers. They might be infected with a password stealer. If you really have to use it, change the password as soon as possible on a trusted (your) computer.

Don't fool yourself by phishing sites. If you go to the local flea market, and there is a strange looking guy with "Superbank deposit here" logo above his head, will you put your money?

Protect yourself against malware. Use a recent operating system, and even if you use OSX or Linux, it is not a bad thing to have an AV as a "last line of defense". Or to check your pendrive for Windows USB worms.

Never-ever use online web sites to "generate your password", "measure the complexity of your password" or "check if it has been breached". Never! (Except if it is your password manager :) ... )

Update: Sign up on the https://haveibeenpwned.com/ for notification if your e-mail is found in a leak.

Changing passwords frequently is bad advice. It is not effective. Put more energy in other right password advise.

Related word

The name sounds exciting but really does it jam WiFi networks? Yes, it is able to do the thing which it's name suggests. So today I'm going to show you how to annoy your friend by cutting him/her short of the WiFi service.

Requirements:

A computer/laptop with WiFi capable of monitoring (monitor mode).
A Linux OS (I'm using Arch Linux with BlackArch Repos)
And the most obvious thing wifijammer (If you're having BlackArch then you already have it).

How does it work? You maybe thinking!, it's quite simple it sends the deauth packets from the client to the AP (Access Point) after spoofing its (client's) mac-address which makes AP think that it's the connected client who wants to disconnect and Voila!

Well to jam all WiFi networks in your range its quite easy just type:

sudo wifijammer

but wait a minute this may not be a good idea. You may jam all the networks around you, is it really what you want to do? I don't think so and I guess it's illegal.

We just want to play a prank on our friend isn't it? So we want to attack just his/her AP. To do that just type:

sudo wifijammer -a <<AP-MAC-ADDRESS>>

here -a flag specifies that we want to jam a particular AP and after it we must provide the MAC-ADDRESS of that particular AP that we want to jam.

Now how in the world am I going to know what is the MAC-ADDRESS of my friend's AP without disturbing the other people around me?

It's easy just use the Hackers all time favorite tool airodump-ng. Type in the following commands:

sudo airmon-ng

sudo airodump-ng

airmon-ng will put your device in monitor mode and airodump-ng will list all the wifi networks around you with their BSSID, MAC-ADDRESS, and CHANNELS. Now look for your friend's BSSID and grab his/her MAC-ADDRESS and plug that in the above mentioned command. Wooohooo! now you are jamming just your friend's wifi network.

Maybe that's not what you want, maybe you want to jam all the people on a particular channel well wifijammer can help you even with that just type:

sudo wifijammer -c <<CHANNEL-NUMBER>>

with -c we specify to wifijammer that we only want to deauth clients on a specified channel. Again you can see with airodump-ng who is on which channel.

wifijammer has got many other flags you can check out all flags using this command that you always knew:

sudo wifijammer -h

Hope you enjoyed it, good bye and have fun :)