Your SlideShare is downloading. ×
0
Bosses love excel, hackers too
Bosses love excel, hackers too
Bosses love excel, hackers too
Bosses love excel, hackers too
Bosses love excel, hackers too
Bosses love excel, hackers too
Bosses love excel, hackers too
Bosses love excel, hackers too
Bosses love excel, hackers too
Bosses love excel, hackers too
Bosses love excel, hackers too
Bosses love excel, hackers too
Bosses love excel, hackers too
Bosses love excel, hackers too
Bosses love excel, hackers too
Bosses love excel, hackers too
Bosses love excel, hackers too
Bosses love excel, hackers too
Bosses love excel, hackers too
Bosses love excel, hackers too
Bosses love excel, hackers too
Bosses love excel, hackers too
Bosses love excel, hackers too
Bosses love excel, hackers too
Bosses love excel, hackers too
Bosses love excel, hackers too
Bosses love excel, hackers too
Bosses love excel, hackers too
Bosses love excel, hackers too
Bosses love excel, hackers too
Bosses love excel, hackers too
Bosses love excel, hackers too
Bosses love excel, hackers too
Bosses love excel, hackers too
Bosses love excel, hackers too
Bosses love excel, hackers too
Bosses love excel, hackers too
Bosses love excel, hackers too
Bosses love excel, hackers too
Bosses love excel, hackers too
Bosses love excel, hackers too
Bosses love excel, hackers too
Bosses love excel, hackers too
Bosses love excel, hackers too
Bosses love excel, hackers too
Bosses love excel, hackers too
Bosses love excel, hackers too
Bosses love excel, hackers too
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Bosses love excel, hackers too

6,894

Published on

Talk delivered by Chema Alonso and Juan Garrido "Silverhack" in Defcon 19 about new tricks for hacking Citrix and Terminal Services environments using Excel (and Office Apps) to run commands in the …

Talk delivered by Chema Alonso and Juan Garrido "Silverhack" in Defcon 19 about new tricks for hacking Citrix and Terminal Services environments using Excel (and Office Apps) to run commands in the server.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
6,894
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
104
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Bosseslove Excel …hackers too!<br />Juan Garrido “Silverhack”<br />Chema Alonso (@chemaalonso)<br />INFORMATICA64.COM<br />
  • 2. Who?<br />
  • 3. About<br />Working at INFORMATICA64.COM<br />http://www.informatica64.com<br />
  • 4. What?<br />
  • 5. Terminal Applications<br />
  • 6. Why?<br />
  • 7. RDP<br />
  • 8. Citrix<br />
  • 9. Using Bing<br />
  • 10. GovermentSites<br />
  • 11. GovermentSites<br />
  • 12. Secure?<br />
  • 13.
  • 14. Verbosity<br />Conf -files are tooverbosity<br />Internal IP Address<br />Users & encryptedpasswords<br />Internal Software<br />PerfectforAPTs<br />0-day exploits<br />Evilgradeattacks<br />
  • 15. Verbosity<br />
  • 16. Verbosity<br />Attacker can:<br />modifyconf files<br />Generate error messages<br />Fingerprintingall software<br />Example: C.A.C.A.<br />
  • 17. Terminal Services<br />Remoteapplicationmode<br />0 -> Desktop<br />1 -> Only App<br />Whatapp?<br />Alternate Shell (RDP < v 6.0)<br />RempoteApplicationProgram (RDP v 6.0++)<br />
  • 18. Terminal ServicesError Messages<br />
  • 19. ComputerAssited Citrix Apps<br />
  • 20. Playingthe Piano<br />
  • 21. Playingthe Piano<br />Toomany links<br />SpeciallyrunningonWindows 2008<br />Toomanyenvironment variables<br />%SystemRoot%<br />%ProgramFiles%<br />%SystemDrive%<br />
  • 22. Window Server 2008 wantstohelpyou!! (anytime!)<br />
  • 23. Playingthe Piano<br />Toomanyshortcuts<br />Ctrl + h – Web History<br />Ctrl + n – New Web Browser<br />Shift + LeftClick – New Web Browser<br />Ctrl + o – Internet Addres<br />Ctrl + p – Print<br />RightClick (Shift + F10)<br />SaveImage As<br /> View Source<br /> F1 – Jumpto URL…<br />
  • 24. Playingthe Piano<br />Too , Too, Toomanyshorcuts:<br />ALT GR+SUPR = CTRL + ALT + SUP<br />CTRL + F1 = CTRL + ALT + SUP<br />CTRL + F3 = TASK MANAGER<br />StickyKeys<br />
  • 25. Easy?<br />
  • 26. Demo Servers<br />
  • 27. Paths?<br />
  • 28. MinimunExposurePaths<br />There are as manypaths as pulbishedapps<br />Everyappis a paththatcould drive toelevateprivileges<br />Complextools are bettercandidates<br />Excel is a complextool<br />
  • 29. Bosseslove EXCEL<br />
  • 30. VBA<br />
  • 31. Excel 1:Thepower of VBA<br />
  • 32. Software RestrictionPolicies<br />Toomanyconsoles<br />Cmd.exe<br />Windows Management Instrumentation<br />PowerShell<br />Jscript<br />Cscript..<br />….<br />
  • 33. Software RestrictionPolicies<br />Forbiddenapps<br />Via hash<br />Viapath<br />App Locker<br />Using Digital Certificates<br />ACLs<br />
  • 34. Software RestrictionPolicies<br />Toomanyconsoles,<br />(EvenfrOmother OS)<br />Reactos….<br />
  • 35. Excel 2forbiddenConsoles<br />
  • 36. Security Policesfor Excel Macros<br />Disable VBA <br /> - Securebutit´snot REAL Excel<br />2) Security for macros<br />- No macros<br />- signed macros<br />- Case by case <br />- All macros<br />
  • 37. Excel 3No macros!<br />
  • 38.
  • 39. Excel 4OnlySigned-macros<br />
  • 40. Risky?<br />
  • 41. Startthe III WorldWar<br />Find a bug in a DHS Computer<br />Trust in yourRogue CA<br />Generateanattacking URL in the CRL (attacking China, forexample)<br />Signanexcel file withyourrogue CA<br />Send a digital ly-signedexcel file tosomeonerelevant!<br />
  • 42. Somethinglike…<br />
  • 43. Justkidding<br />
  • 44. Solutions<br />Re-evaluateyourRemote App connections<br />No alerts at all in Excel (and alltherest of appsyoupublish)<br />No trustedlocations in user-profiles<br />No sharedremoteusers<br />Trust in nobodoy…<br />Sorry, noteven in nobody<br />
  • 45. Howmaypaths do youhave?<br />TS Web Access<br />Hiddenmeansnot-removed<br />
  • 46. Contactinformation<br />Juan Garrido “Silverhack”<br />jgarrido@informatica64.com<br />http://windowstips.wordpress.com<br />Chema Alonso<br />chema@informatica64.com<br />http://www.elladodelmal.com<br />@chemaalonso<br />http://www.informatica64.com<br />
  • 47. SpecialThanksto<br />Didier Stevens<br />http://blog.didierstevens.com/2010/02/04/cmd-dll/<br />ShanitGupta<br />http://www.blackhat.com/presentations/bh-usa-08/Gupta/BH_US_08_Gupta_Got_Citrix_Hack_IT.pdf<br />PDP<br />http://www.blackhat.com/presentations/bh-europe-08/Petkov/Presentation/bh-eu-08-petkov.pdf<br />
  • 48. ?<br />

×