Why/What Blockchain Exploitation?
In this blog series we will analyze blockchain vulnerabilities and exploit them ourselves in various lab and development environments. If you would like to stay up to date on new posts follow and subscribe to the following:Twitter: @ficti0n
URL: http://cclabs.io
http://consolecowboys.com
As of late I have been un-naturally obsessed with blockchains and crypto currency. With that obsession comes the normal curiosity of "How do I hack this and steal all the monies?"
However, as usual I could not find any actual walk thorough or solid examples of actually exploiting real code live. Just theory and half way explained examples.
Note: As usual this is live ongoing research and info will be released as it is coded and exploited.
Background Info:
- In client server we generally have the following:
- Front End - what the user sees (HTML Etc)
- Server Side - code that handles business logic
- Back End - Your database for example MySQL
A Decentralized Application Model:
- Smart contracts are your access into the blockchain.
- Your smart contract is kind of like an API
- Essentially DAPPs are Ethereum enabled applications using smart contracts as an API to the blockchain data ledger
- DAPPs can be banking applications, wallets, video games etc.
A blockchain is a trust-less peer to peer decentralized database or ledger
Consensus:
Proof of stake is simply staking large sums of coins which are at risk of loss if one were to perform a malicious action while helping to perform consensus of data.
Things to Note:
- So, the thing to note is that our smart contracts are located on the blockchain
- And the blockchain is immutable
- This means an Agile development model is not going to work once a contract is deployed.
- This means that updates to contracts is next to impossible
- All you can really do is createa kill-switch or fail safe functions to disable and execute some actions if something goes wrong before going permanently dormant.
- If you don't include a kill switch the contract is open and available and you can't remove it
- Smart Contracts are generally open source
- Which means people like ourselves are manually bug hunting smart contracts and running static analysis tools against smart contract code looking for bugs.
- Kill the current contract which stays on the blockchain
- Then deploy a whole new version.
- If there is no killSwitch the contract will be available forever.
- Many contracts and projects do not even think about and SDLC.
- They rarely add penetration testing and vulnerability testing in the development stages if at all
- At best there is a bug bounty before the release of their main-nets
- Which usually get hacked to hell and delayed because of it.
- Things are getting better but they are still behind the curve, as the technology is new and blockchain mostly developers and marketers. Not hackers or security testers.
- If sensitive data is placed on the blockchain it is there forever
- Which means that if a cryptographic algorithm is broken anything which is encrypted with that algorithm is now accessible
- We all know that algorithms are eventually broken!
- So its always advisable to keep sensitive data hashed for integrity on the blockchain but not actually stored on the blockchain directly
Exploitation of Re-Entrancy Vulnerabilities:
Example Scenario:
Example Target Code:
Example Attacking Code:
Setting up a Lab Environment and coding your Attack:
Coding your Exploit and Interfacing with a Contract Programmatically:
Conclusion:
- Hack Tools For Windows
- Hacking Tools 2020
- Hack Website Online Tool
- Hack Tools For Games
- Pentest Tools Port Scanner
- Tools For Hacker
- Hacker Tools Apk
- Hack Tools For Games
- Ethical Hacker Tools
- Github Hacking Tools
- Pentest Box Tools Download
- Hack Tools Download
- Pentest Tools Port Scanner
- Hacker Tools For Pc
- Hacking Tools For Beginners
- Termux Hacking Tools 2019
- Hacker Tools
- Computer Hacker
- Pentest Tools Framework
- Hack Tools For Mac
- Hacking Apps
- Hacking Tools Usb
- New Hack Tools
- Pentest Tools Github
- Hack Rom Tools
- Hacking Tools Github
- Pentest Tools Find Subdomains
- Hacking Tools For Pc
- Hack Tools Github
- Pentest Tools Windows
- Hacking Tools For Kali Linux
- Hacking Tools Download
- Android Hack Tools Github
- Black Hat Hacker Tools
- Pentest Tools Apk
- What Is Hacking Tools
- How To Make Hacking Tools
- Pentest Tools Github
- Hacker Tools For Windows
- Pentest Tools For Windows
- Hacking Tools Software
- Hacking Tools Pc
- Hack And Tools
- New Hack Tools
- Hacking Tools Github
- Blackhat Hacker Tools
- Hack Tools For Mac
- Usb Pentest Tools
- Tools Used For Hacking
- Hacking Tools For Windows 7
- Pentest Tools Kali Linux
- How To Make Hacking Tools
- Hacking Tools For Kali Linux
- Hacker Tools For Pc
- Pentest Tools Android
- Hacking Tools Pc
- Top Pentest Tools
- Hacking Tools For Windows Free Download
- Hacker Tools For Mac
- Hacker Techniques Tools And Incident Handling
- Hack Tools For Mac
- Pentest Tools For Windows
- Hacker Tool Kit
- Hack Tool Apk No Root
- Hack Tool Apk No Root
- Tools 4 Hack
- Hackers Toolbox
- Hacker Tool Kit
- Pentest Tools Url Fuzzer
- Hacker Tools Hardware
- Game Hacking
- Github Hacking Tools
- Hack Tools
- Pentest Tools Review
- Pentest Tools Port Scanner
- Pentest Tools Alternative
- Pentest Tools Website Vulnerability
- Hacking Tools Windows
- Pentest Tools Review
- Hacker Tools Linux
- Install Pentest Tools Ubuntu
- Hacker Tools Online
- Pentest Tools Windows
- New Hacker Tools
- Pentest Tools Online
- Pentest Tools Apk
- Hacking Tools For Pc
- Hack Tools Mac
- Hacking Tools Kit
- Hacker Tools Online
- Pentest Tools Github
- Hacker Tools Free
- Hacking Tools For Mac
- What Are Hacking Tools
- What Are Hacking Tools
- Android Hack Tools Github
- Hacking Tools For Kali Linux
- Best Hacking Tools 2019
- Hacking Tools For Beginners
- Hack Tools Mac
- Hacking Tools For Windows Free Download
- Hack Tools Download
- Hacking Tools Windows
- Pentest Tools Kali Linux
- Black Hat Hacker Tools
- Pentest Tools Url Fuzzer
- Hacker Tools Free
- Hacking Tools Usb
- Termux Hacking Tools 2019
- Pentest Tools Android
- Hack Website Online Tool
- Hacking Tools Windows 10
- Hacker Tools Github
- Pentest Tools Download
- Best Hacking Tools 2020
- New Hacker Tools
- Growth Hacker Tools
- Blackhat Hacker Tools
- Hacking Tools For Games
- Hack Tools For Windows
- Easy Hack Tools
- Hacking Tools Name
- Hacker Tools Linux
- Pentest Tools Download
- Pentest Automation Tools
- Hack Apps
- Pentest Tools Website
- Tools For Hacker
- Hacker Tools Mac
- Hackers Toolbox
- Tools 4 Hack
- Hacker Tools Online
- Hacking Tools For Games
- Pentest Automation Tools
- Hacker Tools Apk Download
- Hacker Tools For Pc
- Pentest Box Tools Download
- Pentest Tools For Android
- Wifi Hacker Tools For Windows
- Pentest Tools Github
- Pentest Box Tools Download
- Hacking Tools Pc
- Hacking Tools For Pc
- New Hacker Tools
- Pentest Tools Download
- Pentest Tools Github
- New Hack Tools
- Computer Hacker
- Hack And Tools
- Nsa Hacker Tools
- Hacking Tools 2020
- Beginner Hacker Tools
- Hacking Tools Name
- Hacking Tools
- Hacking App
- How To Hack
- Hacking Tools For Kali Linux
- Pentest Tools Subdomain
- Usb Pentest Tools
- Hacker Tools 2019
- Pentest Tools For Mac
- Pentest Tools Download
- Hacks And Tools
- Pentest Tools Kali Linux
- Kik Hack Tools
- Computer Hacker
- New Hack Tools
- Hacking Tools
- Hack Tools For Pc
- Hacker Hardware Tools
- Hacker Tools Apk
- Hacker Search Tools
- How To Install Pentest Tools In Ubuntu
ليست هناك تعليقات:
إرسال تعليق