BSIDES DFW 2014

Into the Mobile DeepExploiting and Analyzing Microsoft SurfaceApplications

2

Who am I?

Wardell Motley

Currently: Penetration Tester Veracode

Previously

Sr. Penetration Tester (Undisclosed)

Systems Administrator: Walls Industries

Network Administrator: CSI

Other Security Related Stuff:

Contributor: The Ethical Hacker.Net

Contributor:Hakin9 Magazine

…….Others

3

• Why Bother?

• Introduction to Microsoft Surface

• App Supply Chain

• Package Breakdown

• Extraction and Analysis

• Web Analysis

Goals

4

• Seems to be very little discussion surrounding

Surface Platform Applications

• Most People seem to be Fixated on IOS and

Android Applications

• More and More Surface devices appearing in the

Enterprise environment due to BYOD

• I’m tired of hearing about things everyone else

already knows!!

Why Bother?

5

Surface Platform

(More than just the tablets)

6

Surface Platform

Architecture

OS Kernel CPU

Surface ARMv7 WinRT 8.0 Nvida Tegra

Surface 2 ARMv7 WinRT 8.1 Nvida Tegra

Surface Pro x86/x64 WinRT 8.0 Intel Ivy Bridge

Surface Pro 2 x86/x64 WinRT 8.0 Intel Haswell

Surface Pro 3 x86/x64 WinRT 8.1 Intel Haswell

7

Surface App Supply Chain

DevelopmentWin32 and C++

.NET

C# and XAML

DirectX

HTML/JavaScript

PublishWindows Store

ConsumptionSurface

Surface 2

Surface Pro 2

8

Windows Runtime app packages

.Appx

AppX

App Manifest App Block Map App Signature

App Payload

9

Windows Runtime app packages

.Appx

App Payload

App Code files and assets

Payload files are the code files and assets that you create when you actually create the App

App Manifest

The manifest declares the identity of the application. Basically what does this application do?

App Block Map

The block map files lists all of the applications files along with associated cryptographic hashes

App Signature

The app signature ensures that the contents of the Appx hasn’t been modified and they get

signed

10

Surface Apps: Distribution & Location

Apps are distributed as .zip archives from the Microsoft Store

3rd party apps are stored inside C:\Program Files\WindowsApps

11

Directory Structure

12

Surface Apps: Distribution & Location

13

Surface Apps: Distribution & Location

14

Surface Apps: Extraction & Analysis

Unzip It!

15

Surface Apps: Extraction & Analysis

App packer (MakeAppx.exe)

App Packer creates the app package from files on disk or extracts the files from

the app package to disk

- Requires Installation of Windows SDK 8.1

16

Surface Apps: Extraction & Analysis

Extract It!

MakeAppx unpack /l /v /p application.appx /d “D:\My Files

17

Surface Apps: Extraction & Analysis

Extract It!

18

Surface Apps: Extraction & Analysis

Unzip It!

19

Surface Apps: Extraction & Analysis

Goodies to be Found!

Hard Coded Usernames and Passwords

Database Files with Unmasked User data

Active Test Licensing Keys

Many others……

20

Surface Apps: Web Analysis

Proxying Surface Application traffic through Burp Suite

Traditional Web Application Testing

21

Surface Apps: Web Analysis

You are already a Pro at this!

Setup Secondary Interface Under Burp Suite Options Tab

Install Burp Suite SSL Certificate in Trusted Store on Microsoft Store

22

Surface Apps: Web Analysis

If you are not the web app guy you thought you were see references!

23

Surface Apps: Web Analysis

If you are not the web app guy you thought you were see references!

Setup Secondary Interface Under Burp Suite Options Tab

Install Burp Suite SSL Certificate in Trusted Store on Microsoft Store

24

Surface Apps: Web Analysis

Goodies to be Found!

OWASP Top 10 Yada Yada

Other Unencrypted Goodness

25

Questions?

26

Contact Information

LinkedIn: Wardell Motley

Twitter:Infowarrior0

Email:infowarrior0@gmail.com

Please Put “Bsides DFW 2014 in the Subject Line”

27

App Packager Managerhttp://msdn.microsoft.com/en-us/library/windows/desktop/hh446767(v=vs.85).aspx

Windows SDK for Windows 8.1

http://dev.windows.com/en-us/develop/downloads

XAML Decompiler (Convert XBF to XAML)

http://xamldecompiler.codeplex.com/

Burp Suite Pro

http://portswigger.net/burp/

Installing Burp Suite Pro SSL Certificates

http://portswigger.net/burp/help/proxy_options_installingCAcert.html

References:

28

Proxying Traffic through Microsoft Surface http://www.7tutorials.com/how-set-proxy-server-windows-81-tablet-or-hybrid-device

Burp Suite SSL Options

http://portswigger.net/burp/help/options_ssl.html

Windows Runtime Apps

http://msdn.microsoft.com/en-us/library/windows/desktop/hh464929.aspx

References:

http://www.7tutorials.com/how-set-proxy-server-windows-81-tablet-or-hybrid-devicehttp://www.7tutorials.com/how-set-proxy-server-windows-81-tablet-or-hybrid-device