black hat briefings
TRANSCRIPT
![Page 2: Black Hat Briefings](https://reader031.vdocuments.mx/reader031/viewer/2022013022/61d178d1aa6eba5e17530189/html5/thumbnails/2.jpg)
▪
▪
![Page 3: Black Hat Briefings](https://reader031.vdocuments.mx/reader031/viewer/2022013022/61d178d1aa6eba5e17530189/html5/thumbnails/3.jpg)
•••
••
•••
•
![Page 5: Black Hat Briefings](https://reader031.vdocuments.mx/reader031/viewer/2022013022/61d178d1aa6eba5e17530189/html5/thumbnails/5.jpg)
![Page 6: Black Hat Briefings](https://reader031.vdocuments.mx/reader031/viewer/2022013022/61d178d1aa6eba5e17530189/html5/thumbnails/6.jpg)
IssuerAudienceExpire DateClaimsSignature
![Page 7: Black Hat Briefings](https://reader031.vdocuments.mx/reader031/viewer/2022013022/61d178d1aa6eba5e17530189/html5/thumbnails/7.jpg)
IssuerAudienceExpire DateClaimsSignature
![Page 8: Black Hat Briefings](https://reader031.vdocuments.mx/reader031/viewer/2022013022/61d178d1aa6eba5e17530189/html5/thumbnails/8.jpg)
![Page 10: Black Hat Briefings](https://reader031.vdocuments.mx/reader031/viewer/2022013022/61d178d1aa6eba5e17530189/html5/thumbnails/10.jpg)
![Page 11: Black Hat Briefings](https://reader031.vdocuments.mx/reader031/viewer/2022013022/61d178d1aa6eba5e17530189/html5/thumbnails/11.jpg)
// System.IdentityModel.Tokens.X509AsymmetricSecurityKeypublic override HashAlgorithm GetHashAlgorithmForSignature(string algorithm) { ... object algorithmFromConfig = CryptoHelper.GetAlgorithmFromConfig(algorithm); ...
// System.IdentityModel.CryptoHelperinternal static object GetAlgorithmFromConfig(string algorithm) { ... obj = CryptoConfig.CreateFromName(algorithm); ...}
![Page 12: Black Hat Briefings](https://reader031.vdocuments.mx/reader031/viewer/2022013022/61d178d1aa6eba5e17530189/html5/thumbnails/12.jpg)
// System.Security.Cryptography.CryptoConfigpublic static object CreateFromName(string name, params object[] args) { ... if (type == null) { type = Type.GetType(name, false, false); if (type != null && !type.IsVisible) type = null; } ... RuntimeType runtimeType = type as RuntimeType; ... MethodBase[] array = runtimeType.GetConstructors(BindingFlags.Instance | BindingFlags.Public | BindingFlags.CreateInstance); ... object obj; RuntimeConstructorInfo runtimeConstructorInfo = Type.DefaultBinder.BindToMethod(BindingFlags.Instance | BindingFlags.Public | BindingFlags.CreateInstance, array, ref args, null, null, null, out obj) ... object result = runtimeConstructorInfo.Invoke(BindingFlags.Instance | BindingFlags.Public | BindingFlags.CreateInstance, Type.DefaultBinder, args, null);
![Page 13: Black Hat Briefings](https://reader031.vdocuments.mx/reader031/viewer/2022013022/61d178d1aa6eba5e17530189/html5/thumbnails/13.jpg)
// System.IdentityModel.SignedXmlpublic void StartSignatureVerification(SecurityKey verificationKey) {
string signatureMethod = this.Signature.SignedInfo.SignatureMethod;...
using (HashAlgorithm hash = asymmetricKey.GetHashAlgorithmForSignature(signatureMethod)) ...
<saml:Assertion ...> ...
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> ... </ds:SignedInfo> <ds:SignatureValue>WNKeaE3R....SLMRLfIN/zI=</ds:SignatureValue> ... </ds:Signature></saml:Assertion>
![Page 14: Black Hat Briefings](https://reader031.vdocuments.mx/reader031/viewer/2022013022/61d178d1aa6eba5e17530189/html5/thumbnails/14.jpg)
••
•••
•
// System.Web.Mobile.CookielessDatapublic CookielessData() { string formsCookieName = FormsAuthentication.FormsCookieName; string text = HttpContext.Current.Request.QueryString[formsCookieName]; ... {
FormsAuthenticationTicket tOld = FormsAuthentication.Decrypt(text);
![Page 15: Black Hat Briefings](https://reader031.vdocuments.mx/reader031/viewer/2022013022/61d178d1aa6eba5e17530189/html5/thumbnails/15.jpg)
••
••
![Page 16: Black Hat Briefings](https://reader031.vdocuments.mx/reader031/viewer/2022013022/61d178d1aa6eba5e17530189/html5/thumbnails/16.jpg)
••
••
••
•• ☹
![Page 17: Black Hat Briefings](https://reader031.vdocuments.mx/reader031/viewer/2022013022/61d178d1aa6eba5e17530189/html5/thumbnails/17.jpg)
// Microsoft.Exchange.Search.Fast.FastManagementClientstatic FastManagementClient() { ... AppDomain.CurrentDomain.AssemblyResolve += new ResolveEventHandler(OnAssemblyResolveEvent);}
// Microsoft.Exchange.Search.Fast.FastManagementClientprivate static Assembly OnAssemblyResolveEvent(object sender, ResolveEventArgs args) { string name = args.Name.Split(new char[]{','})[0]; string path1 = Path.Combine(FastManagementClient.fsisInstallPath, "Installer\\Bin"); string path2 = Path.Combine(FastManagementClient.fsisInstallPath, "HostController"); string[] paths = new string[] {path1,path2}; for (int i = 0; i < paths.Length; i++) {
string full_path = paths[i] + Path.DirectorySeparatorChar.ToString() + name + ".dll"; if (File.Exists(full_path)) return Assembly.LoadFrom(full_path);
...
![Page 18: Black Hat Briefings](https://reader031.vdocuments.mx/reader031/viewer/2022013022/61d178d1aa6eba5e17530189/html5/thumbnails/18.jpg)
![Page 20: Black Hat Briefings](https://reader031.vdocuments.mx/reader031/viewer/2022013022/61d178d1aa6eba5e17530189/html5/thumbnails/20.jpg)
![Page 21: Black Hat Briefings](https://reader031.vdocuments.mx/reader031/viewer/2022013022/61d178d1aa6eba5e17530189/html5/thumbnails/21.jpg)
…
…
![Page 22: Black Hat Briefings](https://reader031.vdocuments.mx/reader031/viewer/2022013022/61d178d1aa6eba5e17530189/html5/thumbnails/22.jpg)
![Page 23: Black Hat Briefings](https://reader031.vdocuments.mx/reader031/viewer/2022013022/61d178d1aa6eba5e17530189/html5/thumbnails/23.jpg)
SecurityKey
SecurityToken
SecurityToken
![Page 24: Black Hat Briefings](https://reader031.vdocuments.mx/reader031/viewer/2022013022/61d178d1aa6eba5e17530189/html5/thumbnails/24.jpg)
SecurityKey
SecurityToken
SecurityToken
![Page 25: Black Hat Briefings](https://reader031.vdocuments.mx/reader031/viewer/2022013022/61d178d1aa6eba5e17530189/html5/thumbnails/25.jpg)
• System.IdentityModel.Selectors.SecurityTokenResolver
![Page 26: Black Hat Briefings](https://reader031.vdocuments.mx/reader031/viewer/2022013022/61d178d1aa6eba5e17530189/html5/thumbnails/26.jpg)
•
••
![Page 27: Black Hat Briefings](https://reader031.vdocuments.mx/reader031/viewer/2022013022/61d178d1aa6eba5e17530189/html5/thumbnails/27.jpg)
1.
2.
3.
![Page 28: Black Hat Briefings](https://reader031.vdocuments.mx/reader031/viewer/2022013022/61d178d1aa6eba5e17530189/html5/thumbnails/28.jpg)
![Page 30: Black Hat Briefings](https://reader031.vdocuments.mx/reader031/viewer/2022013022/61d178d1aa6eba5e17530189/html5/thumbnails/30.jpg)
•
•
•
•
•
![Page 31: Black Hat Briefings](https://reader031.vdocuments.mx/reader031/viewer/2022013022/61d178d1aa6eba5e17530189/html5/thumbnails/31.jpg)
// System.IdentityModel.Tokens.SamlAssertionSecurityKeyIdentifier keyIdentifier = signedXml.Signature.KeyIdentifier;this.verificationKey = SamlSerializer.ResolveSecurityKey(keyIdentifier, outOfBandTokenResolver);if (this.verificationKey == null) throw ...this.signature = signedXml;this.signingToken = SamlSerializer.ResolveSecurityToken(keyIdentifier, outOfBandTokenResolver);
![Page 32: Black Hat Briefings](https://reader031.vdocuments.mx/reader031/viewer/2022013022/61d178d1aa6eba5e17530189/html5/thumbnails/32.jpg)
// System.IdentityModel.Tokens.SamlSerializerinternal static SecurityKey ResolveSecurityKey(SecurityKeyIdentifier ski, SecurityTokenResolver tokenResolver){ if (ski == null) throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("ski"); if (tokenResolver != null) { for (int i = 0; i < ski.Count; i++) { SecurityKey result = null; if (tokenResolver.TryResolveSecurityKey(ski[i], out result)) { return result; } } }...
![Page 33: Black Hat Briefings](https://reader031.vdocuments.mx/reader031/viewer/2022013022/61d178d1aa6eba5e17530189/html5/thumbnails/33.jpg)
// System.ServiceModel.Security.AggregateSecurityHeaderTokenResolverbool TryResolveSecurityKeyCore(SecurityKeyIdentifierClause keyIdentifierClause, out SecurityKey key) {
...
resolved = this.tokenResolver.TryResolveSecurityKey(keyIdentifierClause, false, out key);if (!resolved)
resolved = base.TryResolveSecurityKeyCore(keyIdentifierClause, out key);if (!resolved)
resolved = SecurityUtils.TryCreateKeyFromIntrinsicKeyClause(keyIdentifierClause, this, out key);
![Page 34: Black Hat Briefings](https://reader031.vdocuments.mx/reader031/viewer/2022013022/61d178d1aa6eba5e17530189/html5/thumbnails/34.jpg)
// System.ServiceModel.Security.AggregateSecurityHeaderTokenResolveroverride bool TryResolveTokenCore(SecurityKeyIdentifier keyIdentifier, out SecurityToken token) { bool resolved = false; token = null; resolved = this.tokenResolver.TryResolveToken(keyIdentifier, false, false, out token); if (!resolved) resolved = base.TryResolveTokenCore(keyIdentifier, out token); if (!resolved) { for (int i = 0; i < keyIdentifier.Count; ++i) { if (this.TryResolveTokenFromIntrinsicKeyClause(keyIdentifier[i], out token)) { resolved = true; break; }
![Page 35: Black Hat Briefings](https://reader031.vdocuments.mx/reader031/viewer/2022013022/61d178d1aa6eba5e17530189/html5/thumbnails/35.jpg)
![Page 36: Black Hat Briefings](https://reader031.vdocuments.mx/reader031/viewer/2022013022/61d178d1aa6eba5e17530189/html5/thumbnails/36.jpg)
…
![Page 37: Black Hat Briefings](https://reader031.vdocuments.mx/reader031/viewer/2022013022/61d178d1aa6eba5e17530189/html5/thumbnails/37.jpg)
![Page 39: Black Hat Briefings](https://reader031.vdocuments.mx/reader031/viewer/2022013022/61d178d1aa6eba5e17530189/html5/thumbnails/39.jpg)
•
•
Auth Token
![Page 40: Black Hat Briefings](https://reader031.vdocuments.mx/reader031/viewer/2022013022/61d178d1aa6eba5e17530189/html5/thumbnails/40.jpg)
•
•
foreach (SecurityKeyIdentifierClause securityKeyIdentifierClause in keyIdentifier) {…
}
if (!tokenResolver.TryResolveSecurityKey(_signedXml.Signature.KeyIdentifier[0], out key)) {
...}
![Page 41: Black Hat Briefings](https://reader031.vdocuments.mx/reader031/viewer/2022013022/61d178d1aa6eba5e17530189/html5/thumbnails/41.jpg)
• System.IdentityModel.Tokens.IssuerTokenResolver
•
• X509CertificateStoreTokenResolver
• ResolveSecurityKey() EncryptedKeyIdentifierClause
• ResolveToken()
![Page 42: Black Hat Briefings](https://reader031.vdocuments.mx/reader031/viewer/2022013022/61d178d1aa6eba5e17530189/html5/thumbnails/42.jpg)
•
•
•
•
![Page 43: Black Hat Briefings](https://reader031.vdocuments.mx/reader031/viewer/2022013022/61d178d1aa6eba5e17530189/html5/thumbnails/43.jpg)
X509 Certificate
Store
![Page 46: Black Hat Briefings](https://reader031.vdocuments.mx/reader031/viewer/2022013022/61d178d1aa6eba5e17530189/html5/thumbnails/46.jpg)
•
•
• Microsoft.SharePoint.IdentityModel.SPIssuerTokenResolver
• …
•
![Page 47: Black Hat Briefings](https://reader031.vdocuments.mx/reader031/viewer/2022013022/61d178d1aa6eba5e17530189/html5/thumbnails/47.jpg)
![Page 48: Black Hat Briefings](https://reader031.vdocuments.mx/reader031/viewer/2022013022/61d178d1aa6eba5e17530189/html5/thumbnails/48.jpg)
![Page 49: Black Hat Briefings](https://reader031.vdocuments.mx/reader031/viewer/2022013022/61d178d1aa6eba5e17530189/html5/thumbnails/49.jpg)
••
![Page 50: Black Hat Briefings](https://reader031.vdocuments.mx/reader031/viewer/2022013022/61d178d1aa6eba5e17530189/html5/thumbnails/50.jpg)
•••
![Page 51: Black Hat Briefings](https://reader031.vdocuments.mx/reader031/viewer/2022013022/61d178d1aa6eba5e17530189/html5/thumbnails/51.jpg)
![Page 53: Black Hat Briefings](https://reader031.vdocuments.mx/reader031/viewer/2022013022/61d178d1aa6eba5e17530189/html5/thumbnails/53.jpg)
![Page 55: Black Hat Briefings](https://reader031.vdocuments.mx/reader031/viewer/2022013022/61d178d1aa6eba5e17530189/html5/thumbnails/55.jpg)
•
•
•
•
•
•