Your SlideShare is downloading. ×
nullcon 2010 - The evil karmetasploit upgrade
nullcon 2010 - The evil karmetasploit upgrade
nullcon 2010 - The evil karmetasploit upgrade
nullcon 2010 - The evil karmetasploit upgrade
nullcon 2010 - The evil karmetasploit upgrade
nullcon 2010 - The evil karmetasploit upgrade
nullcon 2010 - The evil karmetasploit upgrade
nullcon 2010 - The evil karmetasploit upgrade
nullcon 2010 - The evil karmetasploit upgrade
nullcon 2010 - The evil karmetasploit upgrade
nullcon 2010 - The evil karmetasploit upgrade
nullcon 2010 - The evil karmetasploit upgrade
nullcon 2010 - The evil karmetasploit upgrade
nullcon 2010 - The evil karmetasploit upgrade
nullcon 2010 - The evil karmetasploit upgrade
nullcon 2010 - The evil karmetasploit upgrade
nullcon 2010 - The evil karmetasploit upgrade
nullcon 2010 - The evil karmetasploit upgrade
nullcon 2010 - The evil karmetasploit upgrade
nullcon 2010 - The evil karmetasploit upgrade
nullcon 2010 - The evil karmetasploit upgrade
nullcon 2010 - The evil karmetasploit upgrade
nullcon 2010 - The evil karmetasploit upgrade
nullcon 2010 - The evil karmetasploit upgrade
nullcon 2010 - The evil karmetasploit upgrade
nullcon 2010 - The evil karmetasploit upgrade
nullcon 2010 - The evil karmetasploit upgrade
nullcon 2010 - The evil karmetasploit upgrade
nullcon 2010 - The evil karmetasploit upgrade
nullcon 2010 - The evil karmetasploit upgrade
nullcon 2010 - The evil karmetasploit upgrade
nullcon 2010 - The evil karmetasploit upgrade
nullcon 2010 - The evil karmetasploit upgrade
nullcon 2010 - The evil karmetasploit upgrade
nullcon 2010 - The evil karmetasploit upgrade
nullcon 2010 - The evil karmetasploit upgrade
nullcon 2010 - The evil karmetasploit upgrade
nullcon 2010 - The evil karmetasploit upgrade
nullcon 2010 - The evil karmetasploit upgrade
nullcon 2010 - The evil karmetasploit upgrade
nullcon 2010 - The evil karmetasploit upgrade
nullcon 2010 - The evil karmetasploit upgrade
nullcon 2010 - The evil karmetasploit upgrade
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

nullcon 2010 - The evil karmetasploit upgrade

2,586

Published on

nullcon 2010 - The evil karmetasploit upgrade by Veysel Ozer

nullcon 2010 - The evil karmetasploit upgrade by Veysel Ozer

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
2,586
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
55
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Veysel Oezer The Evil Karmetasploit Upgrade nullcon Goa 2010 http://nullcon.net
  • 2. Overview Introduction Background Title Realization Results Conclusion Demos in between ! nullcon Goa 2010 http://nullcon.net
  • 3. Introduction IT Security Increasing attacks nullcon Goa 2010 http://nullcon.net
  • 4. Introduction IT Security Increasing attacks also in Germany nullcon Goa 2010 http://nullcon.net
  • 5. Introduction Know your enemy ! ”So it is said that if you know your enemies and know yourself, you will fight without danger in battles. If you only know yourself, but not your opponent, you may win or may lose. If you know neither yourself nor your enemy, you will always endanger yourself.” nullcon Goa 2010 http://nullcon.net
  • 6. Background The man in the middle The hacker tools Evilgrade Metasploit Karma + Karmetasploit nullcon Goa 2010 http://nullcon.net
  • 7. The man in the middle attack nullcon Goa 2010 http://nullcon.net
  • 8. Known MitM attacks ARP spoofing DNS spoofing BGP hacking ICMP redirect, ... Karma ! The evil twin hotspot nullcon Goa 2010 http://nullcon.net
  • 9. Background The hacker tools nullcon Goa 2010 http://nullcon.net
  • 10. Evilgrade Framework for attacking weak update mechanisms ”The idea..is the centralization and exploitation of different update impl. all together in one tool” Written in Perl and published 2007-2008 Existing Module Sun Java nullcon Goa 2010 http://nullcon.net Apple OS X
  • 11. Evilgrade How does it work nullcon Goa 2010 http://nullcon.net
  • 12. Evilgrade nullcon Goa 2010 http://nullcon.net
  • 13. Evilgrade nullcon Goa 2010 http://nullcon.net
  • 14. Metasploit Vulnerability development framework Reduce the work for creating an exploit Penetration testing Several hundert exploits #5 from top 100 security tools Written in Ruby and BSD licensed "Don't try to teach yourself how to use metasploit under the security camera at the airport" nullcon Goa 2010 http://nullcon.net
  • 15. Metasploit architecture nullcon Goa 2010 http://nullcon.net
  • 16. Karma The evil twin access point MitM attack on WinXp Wireless Zero Configuration... Or just name ”FreeWifi” ;) After MitM, steal authentication data Http, Ftp, Pop3, Imap and so on Released in 2004 nullcon Goa 2010 http://nullcon.net
  • 17. Karmetasploit Reimplemantion of Karma into Metasploit Fake access point integrated into aircrack-ng Authentication capturing implemented as auxiliary modules for Metasploit Several improvements Better hardware support Cookie,Form data stealing nullcon Goa 2010 http://nullcon.net Browser exploitation
  • 18. Goals Evilgrade 2 Metasploit Reimplement functionality as metasploit module Improve new system • Port Sharing, Stealth mode, faster metasploit payload generation Transfer existing evilgrade modules into new system Create new fake servers Sip and XMPP Find new vulnerabilities in nullcon Goa 2010 http://nullcon.net software
  • 19. Fake XMPP Based on TCP Used for Jabber → Instant Messaging Google Talk... Has built-in strong security, but depends on server and client Cleartext password transmission possible nullcon Goa 2010 http://nullcon.net
  • 20. Fake Sip Server UDP based protocol Redefined in serveral RFCs Authentication similar to HTTP Digest Challenge – Response Try downgrade attack to use Basic Authentication nullcon Goa 2010 http://nullcon.net
  • 21. Realisation Environments Evilgrade 2 Metasploit Authentication capturing servers Analysis of update mechanisms nullcon Goa 2010 http://nullcon.net
  • 22. Used tools Wireshark Jacksum Vbindiff VmWare Workstation Netcat Ghex nullcon Goa 2010 http://nullcon.net
  • 23. Attack Environment DEMO nullcon Goa 2010 http://nullcon.net
  • 24. Realisation E-2-M nullcon Goa 2010 http://nullcon.net
  • 25. Fake XMPP nullcon Goa 2010 http://nullcon.net
  • 26. Fake Sip Server nullcon Goa 2010 http://nullcon.net
  • 27. Analysis 1. Install an old version on the target. 2. Sniff the update process on the attacker. 3. Analyze network communication. 4. If possible, try to simulate the update server. 5. If possible, install latest version on the target. 6. Improve server to be version independent. 7. Improve server to allow to configure options, like the description shown as update information to the client. nullcon Goa 2010 http://nullcon.net
  • 28. Results Fake SIP and XMPP servers Reimplementation of Evilgrade Analysis of update implemenations Not hacked Indirect hacks Hacked nullcon Goa 2010 http://nullcon.net
  • 29. Results – fake server XMPP Works SIP Downgrade attack had no success Capturing of Digest Authentication is working DEMO nullcon Goa 2010 http://nullcon.net
  • 30. Results Evilgrade in Metasploit Reimpl. the old functionality Old modules ported Several improvements • All mentioned ones • Anti-virus bypassing for metasploit payloads ( DEMO at the end if time left ) • Some others... nullcon Goa 2010 http://nullcon.net
  • 31. Results - Analysis Not hacked uTorrent Avira Antivir Foxit Reader Vlc uses PGP Ad-Aware only one that uses SSL Spybot, AVG Antivir, Comodo Firewall, Picasa, ZoneAlarm, Winrar, flashget, camfrog.. nullcon Goa 2010 http://nullcon.net
  • 32. Results – Not hacked Not hacked uTorrent uses binary signed data ?!? nullcon Goa 2010 http://nullcon.net
  • 33. Results – Not hacked Not hacked Avira Antivir ­­­MASTER.IDX­­­ CRDATE=20090505_1833 <3f76d242c16a5491bfe98540f68c36c9> nullcon Goa 2010 http://nullcon.net
  • 34. Results – Not hacked Foxit Reader and the fzip file format nullcon Goa 2010 http://nullcon.net
  • 35. Results - Analysis Indirect hack Skype Quicktime Orbit Downloader Miranda IM DEMO nullcon Goa 2010 http://nullcon.net
  • 36. Results Analysis Hacked Trillian Kerio Firewall SuperAntiSpyware Filezilla GomPlayer Divx Player nullcon Goa 2010 http://nullcon.net
  • 37. Trillian update mechanism Binary update information Can you read that ? nullcon Goa 2010 http://nullcon.net
  • 38. Trillian update mechanism Binary update information nullcon Goa 2010 http://nullcon.net
  • 39. Results - Hacked DEMO nullcon Goa 2010 http://nullcon.net
  • 40. Conclusion Release candidate of evil karmetasploit upgrade is ready No need for Evilgrade anymore Several improvements compared to Evilgrade New authentification capturing servers Several weak update implementations found, over 100 million downloads from www.cnet.com nullcon Goa 2010 http://nullcon.net
  • 41. Conclusion Feature list for version 2 SIP downgrade attack on old SIP hardware Fake server XMPP over HTTP Improve design to handle Avira Antivir Feature list of version 3 Advanded stealth mode • Intelligent fake DNS server Find more vulnerabilites nullcon Goa 2010 http://nullcon.net
  • 42. Conclusion Software developers Please make secure software Use standards and deny weak stuff by default And for the rest of us Be aware of this attack vectors Do not install every ”important security update” Do not trust security software by default Do not trust the Internet, nullcon Goa 2010 http://nullcon.net especially (public) Wifi networks
  • 43. That's it ! Q & A nullcon Goa 2010 http://nullcon.net

×