Veysel Oezer




                     The Evil
               Karmetasploit Upgrade




nullcon Goa 2010      http://nullc...
Overview
  Introduction
  Background
  Title
  Realization
  Results
  Conclusion
  Demos in between !


nullcon Goa 2010 ...
Introduction
  IT Security
      Increasing attacks




nullcon Goa 2010      http://nullcon.net
Introduction
  IT Security
      Increasing attacks
      also in Germany




nullcon Goa 2010      http://nullcon.net
Introduction
  Know your enemy !
   ”So it is said that if you know your
    enemies and know yourself, you will
    fight...
Background

  The man in the middle
  The hacker tools
      Evilgrade
      Metasploit
      Karma + Karmetasploit




nu...
The man in the middle attack




nullcon Goa 2010   http://nullcon.net
Known MitM attacks
 ARP spoofing
 DNS spoofing
 BGP hacking
 ICMP redirect, ...
 Karma !
     The evil twin hotspot




nu...
Background




                   The hacker tools




nullcon Goa 2010      http://nullcon.net
Evilgrade

 Framework for attacking weak update
 mechanisms
 ”The idea..is the centralization
 and exploitation of differe...
Evilgrade

  How does it work




nullcon Goa 2010    http://nullcon.net
Evilgrade




nullcon Goa 2010    http://nullcon.net
Evilgrade




nullcon Goa 2010    http://nullcon.net
Metasploit
  Vulnerability development framework
      Reduce the work for creating an exploit
  Penetration testing
     ...
Metasploit architecture




nullcon Goa 2010    http://nullcon.net
Karma

  The evil twin access point
  MitM attack on WinXp
  Wireless Zero Configuration...
  Or just name ”FreeWifi” ;)
 ...
Karmetasploit
 Reimplemantion of Karma into
 Metasploit
 Fake access point integrated into
 aircrack-ng
 Authentication ca...
Goals
 Evilgrade 2 Metasploit
   Reimplement functionality as metasploit
   module
   Improve new system
    • Port Sharin...
Fake XMPP

  Based on TCP
  Used for Jabber → Instant Messaging
      Google Talk...
  Has built-in strong security, but
 ...
Fake Sip Server

  UDP based protocol
  Redefined in serveral RFCs
  Authentication similar to HTTP
  Digest
      Challen...
Realisation

  Environments
  Evilgrade 2 Metasploit
  Authentication capturing servers
  Analysis of update mechanisms


...
Used tools

  Wireshark
  Jacksum
  Vbindiff
  VmWare Workstation
  Netcat
  Ghex



nullcon Goa 2010     http://nullcon.n...
Attack Environment




                            DEMO




nullcon Goa 2010         http://nullcon.net
Realisation E-2-M




nullcon Goa 2010        http://nullcon.net
Fake XMPP




nullcon Goa 2010    http://nullcon.net
Fake Sip Server




nullcon Goa 2010       http://nullcon.net
Analysis
 1. Install an old version on the target.
 2. Sniff the update process on the attacker.
 3. Analyze network commu...
Results

  Fake SIP and XMPP servers
  Reimplementation of Evilgrade
  Analysis of update implemenations
      Not hacked
...
Results – fake server

  XMPP
      Works
  SIP
      Downgrade attack had no success
      Capturing of Digest Authentica...
Results

  Evilgrade in        Metasploit
      Reimpl. the old functionality
      Old modules ported
      Several impro...
Results - Analysis
  Not hacked
      uTorrent
      Avira Antivir
       Foxit Reader
      Vlc uses PGP
      Ad-Aware o...
Results – Not hacked

  Not hacked
        uTorrent uses binary signed data ?!?




nullcon Goa 2010          http://nullc...
Results – Not hacked
     Not hacked
         Avira Antivir


­­­MASTER.IDX­­­
CRDATE=20090505_1833
<3f76d242c16a5491bfe98...
Results – Not hacked

  Foxit Reader and the fzip file
  format




nullcon Goa 2010          http://nullcon.net
Results - Analysis

  Indirect hack
      Skype
      Quicktime
      Orbit Downloader
      Miranda IM
  DEMO




nullcon...
Results Analysis

  Hacked
      Trillian
      Kerio Firewall
      SuperAntiSpyware
      Filezilla
      GomPlayer
    ...
Trillian update mechanism

  Binary update information
      Can you read that ?




nullcon Goa 2010   http://nullcon.net
Trillian update mechanism

  Binary update information




nullcon Goa 2010   http://nullcon.net
Results - Hacked




                           DEMO




nullcon Goa 2010        http://nullcon.net
Conclusion

  Release candidate of evil
  karmetasploit upgrade is ready
      No need for Evilgrade anymore
      Several...
Conclusion
  Feature list for version 2
      SIP downgrade attack on old SIP
      hardware
      Fake server XMPP over H...
Conclusion
 Software developers
   Please make secure software
   Use standards and deny weak stuff by
   default
 And for...
That's it !




                     Q & A




nullcon Goa 2010     http://nullcon.net
Upcoming SlideShare
Loading in …5
×

nullcon 2010 - The evil karmetasploit upgrade

2,891 views

Published on

nullcon 2010 - The evil karmetasploit upgrade by Veysel Ozer

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,891
On SlideShare
0
From Embeds
0
Number of Embeds
50
Actions
Shares
0
Downloads
56
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

nullcon 2010 - The evil karmetasploit upgrade

  1. 1. Veysel Oezer The Evil Karmetasploit Upgrade nullcon Goa 2010 http://nullcon.net
  2. 2. Overview Introduction Background Title Realization Results Conclusion Demos in between ! nullcon Goa 2010 http://nullcon.net
  3. 3. Introduction IT Security Increasing attacks nullcon Goa 2010 http://nullcon.net
  4. 4. Introduction IT Security Increasing attacks also in Germany nullcon Goa 2010 http://nullcon.net
  5. 5. Introduction Know your enemy ! ”So it is said that if you know your enemies and know yourself, you will fight without danger in battles. If you only know yourself, but not your opponent, you may win or may lose. If you know neither yourself nor your enemy, you will always endanger yourself.” nullcon Goa 2010 http://nullcon.net
  6. 6. Background The man in the middle The hacker tools Evilgrade Metasploit Karma + Karmetasploit nullcon Goa 2010 http://nullcon.net
  7. 7. The man in the middle attack nullcon Goa 2010 http://nullcon.net
  8. 8. Known MitM attacks ARP spoofing DNS spoofing BGP hacking ICMP redirect, ... Karma ! The evil twin hotspot nullcon Goa 2010 http://nullcon.net
  9. 9. Background The hacker tools nullcon Goa 2010 http://nullcon.net
  10. 10. Evilgrade Framework for attacking weak update mechanisms ”The idea..is the centralization and exploitation of different update impl. all together in one tool” Written in Perl and published 2007-2008 Existing Module Sun Java nullcon Goa 2010 http://nullcon.net Apple OS X
  11. 11. Evilgrade How does it work nullcon Goa 2010 http://nullcon.net
  12. 12. Evilgrade nullcon Goa 2010 http://nullcon.net
  13. 13. Evilgrade nullcon Goa 2010 http://nullcon.net
  14. 14. Metasploit Vulnerability development framework Reduce the work for creating an exploit Penetration testing Several hundert exploits #5 from top 100 security tools Written in Ruby and BSD licensed "Don't try to teach yourself how to use metasploit under the security camera at the airport" nullcon Goa 2010 http://nullcon.net
  15. 15. Metasploit architecture nullcon Goa 2010 http://nullcon.net
  16. 16. Karma The evil twin access point MitM attack on WinXp Wireless Zero Configuration... Or just name ”FreeWifi” ;) After MitM, steal authentication data Http, Ftp, Pop3, Imap and so on Released in 2004 nullcon Goa 2010 http://nullcon.net
  17. 17. Karmetasploit Reimplemantion of Karma into Metasploit Fake access point integrated into aircrack-ng Authentication capturing implemented as auxiliary modules for Metasploit Several improvements Better hardware support Cookie,Form data stealing nullcon Goa 2010 http://nullcon.net Browser exploitation
  18. 18. Goals Evilgrade 2 Metasploit Reimplement functionality as metasploit module Improve new system • Port Sharing, Stealth mode, faster metasploit payload generation Transfer existing evilgrade modules into new system Create new fake servers Sip and XMPP Find new vulnerabilities in nullcon Goa 2010 http://nullcon.net software
  19. 19. Fake XMPP Based on TCP Used for Jabber → Instant Messaging Google Talk... Has built-in strong security, but depends on server and client Cleartext password transmission possible nullcon Goa 2010 http://nullcon.net
  20. 20. Fake Sip Server UDP based protocol Redefined in serveral RFCs Authentication similar to HTTP Digest Challenge – Response Try downgrade attack to use Basic Authentication nullcon Goa 2010 http://nullcon.net
  21. 21. Realisation Environments Evilgrade 2 Metasploit Authentication capturing servers Analysis of update mechanisms nullcon Goa 2010 http://nullcon.net
  22. 22. Used tools Wireshark Jacksum Vbindiff VmWare Workstation Netcat Ghex nullcon Goa 2010 http://nullcon.net
  23. 23. Attack Environment DEMO nullcon Goa 2010 http://nullcon.net
  24. 24. Realisation E-2-M nullcon Goa 2010 http://nullcon.net
  25. 25. Fake XMPP nullcon Goa 2010 http://nullcon.net
  26. 26. Fake Sip Server nullcon Goa 2010 http://nullcon.net
  27. 27. Analysis 1. Install an old version on the target. 2. Sniff the update process on the attacker. 3. Analyze network communication. 4. If possible, try to simulate the update server. 5. If possible, install latest version on the target. 6. Improve server to be version independent. 7. Improve server to allow to configure options, like the description shown as update information to the client. nullcon Goa 2010 http://nullcon.net
  28. 28. Results Fake SIP and XMPP servers Reimplementation of Evilgrade Analysis of update implemenations Not hacked Indirect hacks Hacked nullcon Goa 2010 http://nullcon.net
  29. 29. Results – fake server XMPP Works SIP Downgrade attack had no success Capturing of Digest Authentication is working DEMO nullcon Goa 2010 http://nullcon.net
  30. 30. Results Evilgrade in Metasploit Reimpl. the old functionality Old modules ported Several improvements • All mentioned ones • Anti-virus bypassing for metasploit payloads ( DEMO at the end if time left ) • Some others... nullcon Goa 2010 http://nullcon.net
  31. 31. Results - Analysis Not hacked uTorrent Avira Antivir Foxit Reader Vlc uses PGP Ad-Aware only one that uses SSL Spybot, AVG Antivir, Comodo Firewall, Picasa, ZoneAlarm, Winrar, flashget, camfrog.. nullcon Goa 2010 http://nullcon.net
  32. 32. Results – Not hacked Not hacked uTorrent uses binary signed data ?!? nullcon Goa 2010 http://nullcon.net
  33. 33. Results – Not hacked Not hacked Avira Antivir ­­­MASTER.IDX­­­ CRDATE=20090505_1833 <3f76d242c16a5491bfe98540f68c36c9> nullcon Goa 2010 http://nullcon.net
  34. 34. Results – Not hacked Foxit Reader and the fzip file format nullcon Goa 2010 http://nullcon.net
  35. 35. Results - Analysis Indirect hack Skype Quicktime Orbit Downloader Miranda IM DEMO nullcon Goa 2010 http://nullcon.net
  36. 36. Results Analysis Hacked Trillian Kerio Firewall SuperAntiSpyware Filezilla GomPlayer Divx Player nullcon Goa 2010 http://nullcon.net
  37. 37. Trillian update mechanism Binary update information Can you read that ? nullcon Goa 2010 http://nullcon.net
  38. 38. Trillian update mechanism Binary update information nullcon Goa 2010 http://nullcon.net
  39. 39. Results - Hacked DEMO nullcon Goa 2010 http://nullcon.net
  40. 40. Conclusion Release candidate of evil karmetasploit upgrade is ready No need for Evilgrade anymore Several improvements compared to Evilgrade New authentification capturing servers Several weak update implementations found, over 100 million downloads from www.cnet.com nullcon Goa 2010 http://nullcon.net
  41. 41. Conclusion Feature list for version 2 SIP downgrade attack on old SIP hardware Fake server XMPP over HTTP Improve design to handle Avira Antivir Feature list of version 3 Advanded stealth mode • Intelligent fake DNS server Find more vulnerabilites nullcon Goa 2010 http://nullcon.net
  42. 42. Conclusion Software developers Please make secure software Use standards and deny weak stuff by default And for the rest of us Be aware of this attack vectors Do not install every ”important security update” Do not trust security software by default Do not trust the Internet, nullcon Goa 2010 http://nullcon.net especially (public) Wifi networks
  43. 43. That's it ! Q & A nullcon Goa 2010 http://nullcon.net

×