SlideShare ist ein Scribd-Unternehmen logo

DerbyCon 7 - Hacking VDI, Recon and Attack Methods

Patrick Coble
Patrick Coble

This was a session on September 23, 2017 at DerbyCon 7. VDI Deployments are in over 90% of all the Fortune 1000 companies and are used in almost all industry verticals, but are they secure? The goal of most VDI deployments is to centrally deliver applications and/or desktops to users internally and externally, but in many cases their basic security recommendations haven’t fully deployed, allowing an attacker to gain access. This talk will review the basic design of the top two solution providers, Citrix and VMware. We will go over these solutions strengths and weaknesses and learn how to quickly identify server roles and pivot. We will also examine all the major attack points and their defensive counters. If you or if you have a client that has a VDI Deployment you don’t want to miss this talk. Patrick Coble is an independent EUC and Security Consultant working around Nashville, TN. Patrick has worked in IT for 18 years and as a consultant for over 9 years. He is a recognized expert in Virtualization, EUC solutions and Security. He has deployed hundreds of VDI deployments using both Citrix and VMware solutions all over the southeast. Patrick is working to expose and close the gaps in VDI solutions when it comes to security. He helps with Red and Blue teams to gain access and secure VDI deployments.

Technologie
1 von 64
Hacking VDI, Recon and Attack Methods PATRICK COBLE, SECURITY AND EUC ARCHITECT
Agenda  WhoAmI?  Overview of VDI  Overview of Citrix and VMware  Common and Advanced VDI Attack Methods  VDI Recon  How to Pivot in VDI  Securing VDI Basics  Questions
My Motivation  Back in DerbyCon 2015, there was a presentation call “High Stake Target Lo Tech Attack” with Bill Gardner and Kevin Cordle that went over the power grid from a lineman’s point of view with background information that very practical and eye opening for someone who just knew a little bit about the grid.  I knew that I have been doing Citrix and VMware VDI consulting for over 9 years and over 10 years as a customer and I wanted to do what I could to shed some light on my expertise just like Bill and Kevin back then.  When you work with large companies 90% of them will have Citrix or VMware VDI solutions and knowing some of the components can help you on your PenTest.
WhoAmI?  Noob, Patrick Coble, 2x Father, Nerd, Hacker, Trainer, Speaker, Meme User, PowerPoint Clicker and Citrix CTA (69 in the World)  I have been working with computers since 1988 and started hacking in the early AOL days. I started working in the IT industry in 1997 and joined the Marine Corps where he worked within the Intelligence field on computers. Upon finishing his time in the Marine Corps, I have worked in the security industry, specifically within Healthcare, and later joined a reseller before starting his own company in 2016.  Patrick Founded a Security Consulting Company in 2016 to close the gap in local and personal security and IT consulting for Small Businesses and Individuals. I still do EUCVDI Consulting for large companies. VDISecurity.org
Who cares about VDI? 90% of Fortune 1000 Companies have a VDI Deployment. A HACKERS SUMMARY
VDI Simple Formula  VDI is a crazy IT Jargon just like Cloud, Big Data, Virtualized, Software Defined and many others. But most people agree it stands for Virtual Desktop Infrastructure.  VDI was very clear product offering back in 2007 , but now over the years the two big vendors have included application virtualization and mobile device management also.  It provides a centralized application delivery method.  Run Desktop or Server OS’s are Desktops or just Published Applications  Access Applications or Desktop from Anywhere.  NVIDIA GRID, Intel Iris Pro-Graphics, AMD MxGPU for Graphics Virtualization for high end graphics.
Company Info & Major Versions Horizon  VMware Founded, 1998  VMware 2016, 5.62 Billion  First Version 2.0, January 2008  Major Release Family  3.0, 4.0, 5.0  6.0  7.0-7.2 XenDesktop  Citrix Founded, 1989  Citrix 2016, 3.42 Billion  First Version 2.0, October 2007  Major Release Family  2.0, 3.0, 4.0  5.0, 5.6  7.0-7.15
VDI Basic Components Endpoint Front End Web Services Broker Virtual Desktop App Server Imaging Method Agent
Citrix VDI Basic Components Endpoint StoreFront Delivery Controller Virtual Desktop App Server Provisioning Server MCS (Linked Clone) Agent NetScaler Gateway
VMware VDI Basic Components Endpoint Security Servers Connectinon Server Virtual Desktop App Server Linked Clone (Composer) Instant Clone Agent F5 Load Balancer or APM Access Point Unified Access Gateway
Architecture Components VMware Horizon  2x vCenter, 2x PSC  2x Unified Access Gateway (LB)  2x Connection Servers (LB)  2x SQL Databases (Site + Event Logging)  RDS or VDI Workloads  MS Licensing (RDS, VDA, SQL, Datacenter)  DHCP, KMS Citrix XenApp and XenDesktop  2x vCenter, 2x PSC  2x StoreFront Servers(LB)  2x Delivery Controllers (LB)  2x SQL Databases (Site + Event Logging)  1x License Server  RDS or VDI Workloads  MS Licensing (RDS, VDA, SQL, Datacenter)  DHCP, KMS
Horizon Role Overview VMware Horizon Architecture Load Balancers ENDPOINTS SQL Mirror NAS-CTXSQL1 NAS-CTXSQL2 NAS-CTXSQL3 Active Directory NAS-ADC-01 NAS-ADC-02 Firewall 2 Router 2 WAN Firewall 1 Router 1 LAN Virtual Desktops Entitlements 1 Image 2vCPU, 4 GB RAM Virtual Desktops Pooled Desktop X Desktops Unified Access Gateway NAS-VIEWUAG-02NAS-VIEWUAG-01 View Connection Servers NAS-VIEWCS-02NAS-VIEWCS-01 F5 APM F5 APM NAS-PSC-01 NAS-PSC-02 vCenter PSC NAS-VC-01 NAS-VC-02 Desktop vCenter SAN StorageServers SLOT 1 SLOT 5 SLOT 3 SLOT 7 SLOT 2 SLOT 6 SLOT 4 SLOT 8 ! UCS 5108 OK FAIL OK FAIL OK FAIL OK FAIL ! ResetConsole UCS B200 M3 ! ResetConsole UCS B200 M3 ! ResetConsole UCS B200 M3 ! ResetConsole UCS B200 M3 ! ResetConsole UCS B200 M3 ! ResetConsole UCS B200 M3 ! ResetConsole UCS B200 M3 ! ResetConsole UCS B200 M3 ESX
XenDesktop Overview Provisioning Servers XenDesktop and XenApp Architecture SAN StorageServers ENDPOINTS SQL Mirror NAS-CTXSQL1 NAS-CTXSQL2 NAS-CTXSQL3 Active Directory NAS-ADC-01 NAS-ADC-02 Citrix License Server NAS-CTXLIC NAS-CTXPVS1 NAS-CTXPVS2 SLOT 1 SLOT 5 SLOT 3 SLOT 7 SLOT 2 SLOT 6 SLOT 4 SLOT 8 ! UCS 5108 OK FAIL OK FAIL OK FAIL OK FAIL ! ResetConsole UCS B200 M3 ! ResetConsole UCS B200 M3 ! ResetConsole UCS B200 M3 ! ResetConsole UCS B200 M3 ! ResetConsole UCS B200 M3 ! ResetConsole UCS B200 M3 ! ResetConsole UCS B200 M3 ! ResetConsole UCS B200 M3 ESX Desktop Delivery Controllers NAS-CTXDC1 NAS-CTXDC2 Firewall 2 Router 2 WAN Firewall 1 Router 1 LAN StoreFront Server Servers NAS-CTXWEB1 NAS-CTXWEB2 Load Balancers F5 APM F5 APM Virtual Desktops Entitlements 1 Image 2vCPU, 4 GB RAM Virtual Desktops Pooled Desktop X Desktops NAS-PSC-01 NAS-PSC-02 vCenter PSC NAS-VC-01 NAS-VC-02 Desktop vCenter
Horizon Connection Overview
XenDesktop Connection Overview
VMware Management Consoles Connection Server (HTTPS)
VMware Management Consoles – vROPs (HTTPS)
VMware Management Consoles AppVolumes (HTTPS)
Citrix Management Consoles Citrix Studio (MMC)
Citrix Management Consoles Provisioning Server (MMC)
Citrix Management Consoles StoreFront (MMC)
Citrix Management Consoles – Director (HTTPS)
Citrix Management Consoles – UniDesk (Layering)
Citrix XenDesktop and XenApp Overview  NetScaler Load Balancer Load Balances, SSL Offload and in some cases is also a Application Firewall and SAML IDP or SP.  NetScaler Unified Gateway This proxies connections from SSL to ICA  Citrix StoreFront This is the Web front end that users use  Citrix Delivery Controller This is the broker and the where the main Management Console is ”Citrix Studio”  Citrix Provisioning Services This server is responsible for Image management if it is used, it streams the OS in a UDP stream to a target device (MAC Address)  Citrix Virtual Desktop Agent This Agent runs on each Desktop or Server OS and talks to the Delivery Controller  Citrix License Server It’s a License Server
VMware Horizon Overview  Access Point This is used to Proxy PCoIP, RDP, Blast, Blast Extreme Protocols over SSL. Appliance  Security Server This is used to Proxy PCoIP, RDP, Blast, Blast Extreme Protocols over SSL. Windows Box  Connection Server This is the broker and the where the main Management Console over Port 443  vCenterComposer This is used if the older image management version Linked Clones is used. It is normally installed on a vCenter Server.  Horizon Agent This Agent runs on each Desktop or Server OS and talks to the Connection Server
VDI – Common Attack Methods  Phish, Phish and Phish ( There are lot of deployments that use these technologies to publish Outlook or a Web Browser)  The most common published application in “Internet Explorer” which in many cases is because App X won’t run on IE 6, 7, 8, 10. Some of the biggest deployments in DOD were for IE6 virtualization to bridge the gap in compatibility.  Getting in from the outside is tough but it is possible. You have to find someone on unpatched systems of a couple years old to get through that front door. There are some Unicorns out there where 1494, 3389 are punched open then just like any windows box if you ain’t patching it someone's gettin in.  There are lot of CVEs that become VDI related from Microsoft for the Server and VDI OS along with some from Citrix and VMware that come up but no one rights exploits (There is a one I would love to help write but I’m a noob)
VDI Default Policy's  Citrix and VMware both have default policies that can allow data exfiltration and most admins do not change them.  CopyPaste (Most Common)  Drive Mapping (Local, Network)  USB Mapping (Disabled by Default on both)  Applying Policies to the right groups is another common mistake.
VDI - Recon  External Scans, When your doing DNS and HTTPHTTPS Sweeps you can look for some of following screenshots when your scanning through their domain.  Knowing they have VDI is also a good way to adjust some of your Phishing Tactics for Citrix Receiver, Horizon Client upgrades are needed for security. (Repackage the MSIs with your Payload and live the dream, You can use SET to clone their Portal Page for credential harvesting.)  If you spot some of these wild ports between these two systems in a scan you know what your dealing with.  If someone has Citrix or VMware in most cases there most important application is installed in it.
VDI – Recon – 80443 StoreFront Web Interface 5.4 Usually Internal Only, But sometimes they are out in the real world. StoreFront 3.x
VDI – Recon – 80443 StoreFront StoreFront 2.0 Usually Internal Only, But sometimes they are out in the real world.
VDI – Recon – 80443 Web Interface Web Interface 5.4 Usually Internal Only, But sometimes they are out in the real world.
VDI – Recon – 80443 Web Interface Web Interface 4.6 Usually Internal Only, But sometimes they are out in the real world.
VDI – Recon – 80443 NetScaler Gateway NetScaler Gateway 11.1-12.x+ X1 Theme
VDI – Recon – 80443 NetScaler Gateway NetScaler Gateway 11.0 Greenbubble Theme
VDI – Recon – 80443 NetScaler Gateway NetScaler Gateway 10.0 Caxton Theme
VDI – Recon – 80443 NetScaler Admin NetScaler 11.1-12.x When you see this you have found the NSIP which is the management IP of the NetScaler. Note: Most are default and are HTTP. Default UNPW nsroot nsroot
VDI – Recon – 80443 NetScaler Admin NetScaler 10.5-11.0 When you see this you have found the NSIP which is the management IP of the NetScaler. Note: Most are default and are HTTP. Default UNPW nsroot nsroot
VDI – Recon – 80443 NetScaler Admin NetScaler 10.0 When you see this you have found the NSIP which is the management IP of the NetScaler. Note: Most are default and are HTTP. Default UNPW nsroot nsroot
VDI – Recon – VMware Connection Server View 7.x
VDI – Recon – VMware Connection Server View 6.x
VDI – Recon – VMware Connection Server View 5.x
VDI – Recon – VMware User Portal View 6.x View 7.x
VDI – Recon – VMware User Portal View 6.x
VDI – Recon – VMware User Portal View 5.x
VDI – Recon – Horizon Ports 445TCP Configuring and publishing View Composer packages to the Transfer Server repository network share 5500TCP 2-Factor Authentication 4002TCP JMS (Secure) 4500TCP NAT-T ISAKMP (UDP) 8443TCP TCP 22443TCP TCP 22443UDP UDP 3091TCP Java RMI 3092TCP Java RMI 3093TCP Java RMI 3094TCP Java RMI 3099TCP Java RMI 3100TCP Java RMI 3101TCP Java RMI 8443TCP HTTPS or Blast 9427TCP MMR ore CDR (TCP) 22443TCP HTTPS (TCP) 4001TCP JMS 4100TCP JMSIR 80TCP HTTP 443TCP HTTPS 4172TCP PCoIP TCP 4172UDP PCoIP UDP 3389TCP RDP 18443TCP HTTPS 9427TCP MMR 8009TCP AJP13 4002TCP JMS 500UDP IPSec (UDP) 4500UDP NAT-T ISAKMP (UDP) TCP ESP (IP Protocol 50) 32111TCP USB Redirection 42966TCP HP RGS 902TCP Disk Transfers
VDI - Recon - Citrix Ports Type Port TCP 49752 TCP 8284 TCP 8286 TCP 8285 TCP 27000 TCP 8287 TCP 2512 TCP 1433 TCP 1434 TCP 445 TCP 80/443 TCP 135 TCP 443 TCP 8443 TCP/UDP 1801 UDP 6890-6909 UDP 67 / 4011 UDP 69 UDP 6910 UDP 6910– 6930 TCP 54321-54323 TCP 1494 TCP 2598 TCP 8008 UDP 16500-16509 TCP 2513 TCP 80/8080/443 TCP 8082 TCP 80/443/8200 TCP/UDP 389
VDI Common Google Dorks (inurl:"https://)  Citrix  VDI  Portal  Access  Gateway  Apps and App  Remote  Horizon  View  Desktop
VDI – Googline inurl:"https://vdi"
VDI – Googline inurl:"https://citrix"
VDI – Pivoting  Once your in you need to find the Citrix or VMware Admin Groups, if you get a Domain Admin in most deployments they are setup as admins on the system for ease of administration depending on how the company operationally supports the deployment and how big and mature their IT department is.  As you will see in the next 4 quick slides there are not a lot of Exploits written for Citrix or VMware based on the number of CVEs they have. You always have Windows.  Windows and its Vulns is your pivot along with Social Engineering is the way to Pivot in and out of the Citrix deployment.  Brute Forcing on the Login Pages in most cases is totally possible and in many cases may not raise any flags because they are seldom monitored in many deployments (3-10 Per 15 minutes). Citrix with it’s NetScaler as a possible front door do have Rate Limiting and WAF features that are able to be turned on but seldom deployed and on the VMware side I haven’t seen a deployment yet that has alerts setup for either of their front door solutions.
Citrix CVEs -174 Name Description CVE-2017- 9231 XML external entity (XXE) vulnerability in Citrix XenMobile Server 9.x and 10.x before 10.5 RP3 allows attackers to obtain sensitive information via unspecified vectors. CVE-2017- 7219 A heap overflow vulnerability in Citrix NetScaler Gateway versions 10.1 before 135.8/135.12, 10.5 before 65.11, 11.0 before 70.12, and 11.1 before 52.13 allows a remote authenticated attacker to run arbitrary commands via unspecified vectors. CVE-2017- 6316 Citrix NetScaler SD-WAN devices through v9.1.2.26.561201 allow remote attackers to execute arbitrary shell commands as root via a CGISESSID cookie. On CloudBridge (the former name of NetScaler SD-WAN) devices, the cookie name was CAKEPHP rather than CGISESSID. CVE-2017- 5933 Citrix NetScaler ADC and NetScaler Gateway 10.5 before Build 65.11, 11.0 before Build 69.12/69.123, and 11.1 before Build 51.21 randomly generates GCM nonces, which makes it marginally easier for remote attackers to obtain the GCM authentication key and spoof data by leveraging a reused nonce in a session and a "forbidden attack," a similar issue to CVE- 2016-0270. CVE-2017- 5573 An issue was discovered in Linux Foundation xapi in Citrix XenServer through 7.0. An authenticated read-only administrator can cancel tasks of other administrators. CVE-2017- 5572 An issue was discovered in Linux Foundation xapi in Citrix XenServer through 7.0. An authenticated read-only administrator can corrupt the host database. CVE-2017- 5571 Open redirect vulnerability in the lmadmin component in Flexera FlexNet Publisher (aka Flex License Manager) 11.14.1 and earlier, as used in Citrix License Server for Windows and the Citrix License Server VPX, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. CVE-2016- 9680 Citrix Provisioning Services before 7.12 allows attackers to obtain sensitive information from kernel memory via unspecified vectors. CVE-2016- 9679 Citrix Provisioning Services before 7.12 allows attackers to execute arbitrary code by overwriting a function pointer.
VMware Horizon CVEs -16 CVE-2017-4918 VMware Horizon View Client (2.x, 3.x and 4.x prior to 4.5.0) contains a command injection vulnerability in the service startup script. Successful exploitation of this issue may allow unprivileged users to escalate their privileges to root on the Mac OSX system where the client is installed. CVE-2017-4913 VMware Workstation (12.x prior to 12.5.3) and Horizon View Client (4.x prior to 4.4.0) contain an integer-overflow vulnerability in the True Type Font parser in the TPView.dll. On Workstation, this may allow a guest to execute code or perform a Denial of Service on the Windows OS that runs Workstation. In the case of a Horizon View Client, this may allow a View desktop to execute code or perform a Denial of Service on the Windows OS that runs the Horizon View Client. Exploitation is only possible if virtual printing has been enabled. This feature is not enabled by default on Workstation but it is enabled by default on Horizon View. CVE-2017-4912 VMware Workstation (12.x prior to 12.5.3) and Horizon View Client (4.x prior to 4.4.0) contain multiple out-of-bounds read vulnerabilities in TrueType Font (TTF) parser in the TPView.dll. On Workstation, this may allow a guest to execute code or perform a Denial of Service on the Windows OS that runs Workstation. In the case of a Horizon View Client, this may allow a View desktop to execute code or perform a Denial of Service on the Windows OS that runs the Horizon View Client. Exploitation is only possible if virtual printing has been enabled. This feature is not enabled by default on Workstation but it is enabled by default on Horizon View. CVE-2017-4911 VMware Workstation (12.x prior to 12.5.3) and Horizon View Client (4.x prior to 4.4.0) contain multiple out-of-bounds write vulnerabilities in JPEG2000 parser in the TPView.dll. On Workstation, this may allow a guest to execute code or perform a Denial of Service on the Windows OS that runs Workstation. In the case of a Horizon View Client, this may allow a View desktop to execute code or perform a Denial of Service on the Windows OS that runs the Horizon View Client. Exploitation is only possible if virtual printing has been enabled. This feature is not enabled by default on Workstation but it is enabled by default on Horizon View. CVE-2017-4909 VMware Workstation (12.x prior to 12.5.3) and Horizon View Client (4.x prior to 4.4.0) contain a heap buffer-overflow vulnerability in TrueType Font (TTF) parser in the TPView.dll. On Workstation, this may allow a guest to execute code or perform a Denial of Service on the Windows OS that runs Workstation. In the case of a Horizon View Client, this may allow a View desktop to execute code or perform a Denial of Service on the Windows OS that runs the Horizon View Client. Exploitation is only possible if virtual printing has been enabled. This feature is not enabled by default on Workstation but it is enabled by default on Horizon View. CVE-2017-4908 VMware Workstation (12.x prior to 12.5.3) and Horizon View Client (4.x prior to 4.4.0) contain multiple heap buffer-overflow vulnerabilities in JPEG2000 parser in the TPView.dll. On Workstation, this may allow a guest to execute code or perform a Denial of Service on the Windows OS that runs Workstation. In the case of a Horizon View Client, this may allow a View desktop to execute code or perform a Denial of Service on the Windows OS that runs the Horizon View Client. Exploitation is only possible if virtual printing has been enabled. This feature is not enabled by default on Workstation but it is enabled by default on Horizon View. CVE-2017-4907 VMware Unified Access Gateway (2.5.x, 2.7.x, 2.8.x prior to 2.8.1) and Horizon View (7.x prior to 7.1.0, 6.x prior to 6.2.4) contain a heap buffer-overflow vulnerability which may allow a remote attacker to execute code on the security gateway. CVE-2017-4897 VMware Horizon DaaS before 7.0.0 contains a vulnerability that exists due to insufficient validation of data. An attacker may exploit this issue by tricking DaaS client users into connecting to a malicious server and sharing all their drives and devices. Successful exploitation of this vulnerability requires a victim to download a specially crafted RDP file through DaaS client by clicking on a malicious link. CVE-2016-7087 Directory traversal vulnerability in the Connection Server in VMware Horizon View 5.x before 5.3.7, 6.x before 6.2.3, and 7.x before 7.0.1 allows remote attackers to obtain sensitive information via unspecified vectors.
Citrix Exploits Date Title Platform Author 2017-07- 19 Citrix CloudBridge - 'CAKEPHP' Cookie Command Injection CGI xort 2016-11- 02 Citrix Receiver/Receiver Desktop Lock 4.5 - Authentication Bypass Multiple Rithwik Jay... 2015-03- 19 Citrix Command Center - Credential Disclosure XML Han Sahin 2015-03- 19 Citrix Nitro SDK - Command Injection Linux Han Sahin 2015-03- 12 Citrix Netscaler NS10.5 - WAF Bypass (Via HTTP Header Pollution) XML BGA Security 2014-11- 06 Citrix Netscaler SOAP Handler - Remote Code Execution (Metasploit) BSD Metasploit 2012-06- 01 Citrix Provisioning Services 5.6 SP1 - Streamprocess Opcode 0x40020004 Buffer Overflow... Windows Metasploit
VMware Exploits Date Title Platform Author 2017-07- 18 Hashicorp vagrant-vmware-fusion < 4.0.20 - Local Root Privilege Escalation macOS Mark Wadham 2017-06- 10 VMware vSphere Data Protection 5.x/6.x - Java Deserialization Multiple Kelly Correll 2017-06- 08 VMware Workstation 12 Pro - Denial of Service Windows Borja Merino 2017-05- 22 VMware Workstation for Linux 12.5.2 build-4638234 - ALSA Config Host Root Privilege... Linux Google Secu... 2016-09- 19 VMware Workstation - 'vprintproxy.exe' JPEG2000 Images Multiple Memory Corruptions Windows Google Secu... 2016-09- 19 VMware Workstation - 'vprintproxy.exe' TrueType NAME Tables Heap Buffer Overflow Windows Google Secu... 2016-08- 06 VMware Host Guest Client Redirector - DLL Side Loading (Metasploit) Windows Metasploit 2015-06- 12 Escaping VMware Workstation through COM1 Papers Google Secu... 2014-11- 06 VMware Workstations 10.0.0.40273 - 'vmx86.sys' Arbitrary Kernel Read Win_x86 KoreLogic 2013-10-14VMware Hyperic HQ Groovy Script-Console - Java Execution (Metasploit) Multiple Metasploit 2013-08- 29 VMware - Setuid VMware-mount Unsafe popen(3) (Metasploit) Linux Metasploit
VDI – Securing It  Keeping it Patched is the biggest battle, it only takes one box.  Optimize the image to turn off unused features.  Run some form of AV (For years when the devices were provisioned and or Non-Persistent it was recommended not to install it, due to overhead). Most common finding  Securing the Policies to make sure data cannot leave the session in a way you don’t want it to. DLP for VDI  Use AppLocker or other AV Systems to Whitelist applications to ensure other applications cannot be launched.  Windows Firewall, IPsec, Microsegmentation  Replace Default SSL Certificates and use SSL Certificates Everywhere.
Citrix Security Innovations Citrix Analytics WHAT THEY ARE DOING TO MAKE IT MORE SECURE
VMware Security Innovations NSX WHAT THEY ARE DOING TO MAKE IT MORE SECURE
Why do breaches still occur? Data Center Perimeter Today’s data centers are protected by strong perimeter defense… But threats and exploits still infect servers. Low- priority systems are often the target. Threats can lie dormant, waiting for the right moment to strike. Server-server traffic growth has outpaced client-server traffic. The attack spreads and goes unnoticed. Possibly after months of reconnaissance, the infiltration relays secret data to the attacker. Attacks spread inside the data center, where internal controls are often weak. Critical systems are targeted. 10110100110 101001010000010 1001110010100
Problem: Data Center Network Security  Perimeter-centric network security has proven insufficient, and micro-segmentation is operationally infeasible Little or no lateral controls inside perimeter Internet Internet Insufficient Operationally Infeasible
Micro-segmentation simplifies network security  Each VM can now be its own perimeter  Policies align with logical groups  Prevents threats from spreading App DMZ Services DB Perimeter firewall AD NTP DHCP DNS CERT Inside firewall Finance EngineeringHR
VDISecurity.Org  At this Site you will see things from two perspectives  VDI Admin, How to Secure It  Security Nerds, How to do Recon, Get In and Pivot  I have a couple blog posts ready to roll out but just have to wrap up a couple things. I have been slacking.
Questions VDISecurity.org PatrickCoble.com @VDIHacker

Empfohlen

Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Adar Weidman
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
Will Schroeder
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X Way
Stephan Borosh
 
Dangling DNS records takeover at scale
Dangling DNS records takeover at scaleDangling DNS records takeover at scale
Dangling DNS records takeover at scale
Chandrapal Badshah
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
Ross Wolf
 
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
Leonardo Nve Egea
 
BloodHound: Attack Graphs Practically Applied to Active Directory
BloodHound: Attack Graphs Practically Applied to Active DirectoryBloodHound: Attack Graphs Practically Applied to Active Directory
BloodHound: Attack Graphs Practically Applied to Active Directory
Andy Robbins
 

Empfohlen

Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Adar Weidman
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
Will Schroeder
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X Way
Stephan Borosh
 
Dangling DNS records takeover at scale
Dangling DNS records takeover at scaleDangling DNS records takeover at scale
Dangling DNS records takeover at scale
Chandrapal Badshah
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
Ross Wolf
 
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
Leonardo Nve Egea
 
BloodHound: Attack Graphs Practically Applied to Active Directory
BloodHound: Attack Graphs Practically Applied to Active DirectoryBloodHound: Attack Graphs Practically Applied to Active Directory
BloodHound: Attack Graphs Practically Applied to Active Directory
Andy Robbins
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
DirkjanMollema
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
MITRE ATT&CK
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdf
Matt Tesauro
 
Bypass_AV-EDR.pdf
Bypass_AV-EDR.pdfBypass_AV-EDR.pdf
Bypass_AV-EDR.pdf
Farouk2nd
 
SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting Revisisted
Will Schroeder
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
Splunk
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo
BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, OsloBloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo
BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo
Andy Robbins
 
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahWindows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv Shah
OWASP Delhi
 
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Chris Gates
 
Penetration testing
Penetration testingPenetration testing
Penetration testing
Ammar WK
 
remote-method-guesser - BHUSA2021 Arsenal
remote-method-guesser - BHUSA2021 Arsenal remote-method-guesser - BHUSA2021 Arsenal
remote-method-guesser - BHUSA2021 Arsenal
Tobias Neitzel
 
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API VulnerabilitiesBlack and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Matt Tesauro
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
Chris Gates
 
How to Prevent RFI and LFI Attacks
How to Prevent RFI and LFI AttacksHow to Prevent RFI and LFI Attacks
How to Prevent RFI and LFI Attacks
Imperva
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang Bhatnagar
OWASP Delhi
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
Will Schroeder
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
Will Schroeder
 
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
Michael Gough
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration Testers
Nikhil Mittal
 
Vdi, rds, med v, app-v - right decisions
Vdi, rds, med v, app-v - right decisionsVdi, rds, med v, app-v - right decisions
Vdi, rds, med v, app-v - right decisions
Concentrated Technology
 
OpenStack VDI and DaaS with Leostream and the Teradici Pervasive Cloud Comput...
OpenStack VDI and DaaS with Leostream and the Teradici Pervasive Cloud Comput...OpenStack VDI and DaaS with Leostream and the Teradici Pervasive Cloud Comput...
OpenStack VDI and DaaS with Leostream and the Teradici Pervasive Cloud Comput...
Leostream
 

Weitere ähnliche Inhalte

Was ist angesagt?

I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
DirkjanMollema
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
MITRE ATT&CK
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdf
Matt Tesauro
 
remote-method-guesser - BHUSA2021 Arsenal
remote-method-guesser - BHUSA2021 Arsenal remote-method-guesser - BHUSA2021 Arsenal
remote-method-guesser - BHUSA2021 Arsenal
Tobias Neitzel
 
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API VulnerabilitiesBlack and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Matt Tesauro
 

Was ist angesagt? (20)

I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdf
 
Bypass_AV-EDR.pdf
Bypass_AV-EDR.pdfBypass_AV-EDR.pdf
Bypass_AV-EDR.pdf
 
SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting Revisisted
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
 
BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo
BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, OsloBloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo
BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo
 
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahWindows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv Shah
 
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
 
Penetration testing
Penetration testingPenetration testing
Penetration testing
 
remote-method-guesser - BHUSA2021 Arsenal
remote-method-guesser - BHUSA2021 Arsenal remote-method-guesser - BHUSA2021 Arsenal
remote-method-guesser - BHUSA2021 Arsenal
 
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API VulnerabilitiesBlack and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
 
How to Prevent RFI and LFI Attacks
How to Prevent RFI and LFI AttacksHow to Prevent RFI and LFI Attacks
How to Prevent RFI and LFI Attacks
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang Bhatnagar
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
 
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration Testers
 

Ähnlich wie DerbyCon 7 - Hacking VDI, Recon and Attack Methods

Vdi, rds, med v, app-v - right decisions
Vdi, rds, med v, app-v - right decisionsVdi, rds, med v, app-v - right decisions
Vdi, rds, med v, app-v - right decisions
Concentrated Technology
 
Enterprise Desktops Well Served - a technical perspective on virtual desktops
Enterprise Desktops Well Served - a technical perspective on virtual desktopsEnterprise Desktops Well Served - a technical perspective on virtual desktops
Enterprise Desktops Well Served - a technical perspective on virtual desktops
Molten Technologies
 
Sameer's (Vmware & Wintel Systems Engineer)Resume-04-2016
Sameer's (Vmware & Wintel Systems Engineer)Resume-04-2016Sameer's (Vmware & Wintel Systems Engineer)Resume-04-2016
Sameer's (Vmware & Wintel Systems Engineer)Resume-04-2016
Sameer Mohammed
 
System Administrator_Sivaiah
System Administrator_SivaiahSystem Administrator_Sivaiah
System Administrator_Sivaiah
Sivaiah Yakkanti
 

Ähnlich wie DerbyCon 7 - Hacking VDI, Recon and Attack Methods (20)

Vdi, rds, med v, app-v - right decisions
Vdi, rds, med v, app-v - right decisionsVdi, rds, med v, app-v - right decisions
Vdi, rds, med v, app-v - right decisions
 
OpenStack VDI and DaaS with Leostream and the Teradici Pervasive Cloud Comput...
OpenStack VDI and DaaS with Leostream and the Teradici Pervasive Cloud Comput...OpenStack VDI and DaaS with Leostream and the Teradici Pervasive Cloud Comput...
OpenStack VDI and DaaS with Leostream and the Teradici Pervasive Cloud Comput...
 
VMware ventaja competitiva
VMware ventaja competitivaVMware ventaja competitiva
VMware ventaja competitiva
 
Enterprise Desktops Well Served - a technical perspective on virtual desktops
Enterprise Desktops Well Served - a technical perspective on virtual desktopsEnterprise Desktops Well Served - a technical perspective on virtual desktops
Enterprise Desktops Well Served - a technical perspective on virtual desktops
 
Virtualization today
Virtualization todayVirtualization today
Virtualization today
 
VDISecurity.org Overview
VDISecurity.org OverviewVDISecurity.org Overview
VDISecurity.org Overview
 
Sameer's (Vmware & Wintel Systems Engineer)Resume-04-2016
Sameer's (Vmware & Wintel Systems Engineer)Resume-04-2016Sameer's (Vmware & Wintel Systems Engineer)Resume-04-2016
Sameer's (Vmware & Wintel Systems Engineer)Resume-04-2016
 
EUC State of the Union 2021
EUC State of the Union 2021EUC State of the Union 2021
EUC State of the Union 2021
 
Virtualization 2011 v1
Virtualization 2011 v1Virtualization 2011 v1
Virtualization 2011 v1
 
Virtual desktops-VMWare
Virtual desktops-VMWareVirtual desktops-VMWare
Virtual desktops-VMWare
 
Discussing strategies for building the next gen data centre
Discussing strategies for building the next gen data centreDiscussing strategies for building the next gen data centre
Discussing strategies for building the next gen data centre
 
Vdi in-a-box
Vdi in-a-boxVdi in-a-box
Vdi in-a-box
 
VMware - vCloud Hybrid Services
VMware - vCloud Hybrid Services VMware - vCloud Hybrid Services
VMware - vCloud Hybrid Services
 
Citrix en Nutanix: de kracht van de combinatie
Citrix en Nutanix: de kracht van de combinatieCitrix en Nutanix: de kracht van de combinatie
Citrix en Nutanix: de kracht van de combinatie
 
Leostream Webinar - OpenStack VDI and DaaS
Leostream Webinar - OpenStack VDI and DaaSLeostream Webinar - OpenStack VDI and DaaS
Leostream Webinar - OpenStack VDI and DaaS
 
System Administrator_Sivaiah
System Administrator_SivaiahSystem Administrator_Sivaiah
System Administrator_Sivaiah
 
Windows 2008 R2 Virtualization
Windows 2008 R2 VirtualizationWindows 2008 R2 Virtualization
Windows 2008 R2 Virtualization
 
VMware Technical Overview (2012)
VMware Technical Overview (2012)VMware Technical Overview (2012)
VMware Technical Overview (2012)
 
Virtual desktop infrastructure
Virtual desktop infrastructureVirtual desktop infrastructure
Virtual desktop infrastructure
 
[Event] Digital transformation : Empower digital workspace - PRESENTATION VMWARE
[Event] Digital transformation : Empower digital workspace - PRESENTATION VMWARE[Event] Digital transformation : Empower digital workspace - PRESENTATION VMWARE
[Event] Digital transformation : Empower digital workspace - PRESENTATION VMWARE
 

Kürzlich hochgeladen

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 

Kürzlich hochgeladen (20)

HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 

DerbyCon 7 - Hacking VDI, Recon and Attack Methods

  • 1. Hacking VDI, Recon and Attack Methods PATRICK COBLE, SECURITY AND EUC ARCHITECT
  • 2. Agenda  WhoAmI?  Overview of VDI  Overview of Citrix and VMware  Common and Advanced VDI Attack Methods  VDI Recon  How to Pivot in VDI  Securing VDI Basics  Questions
  • 3. My Motivation  Back in DerbyCon 2015, there was a presentation call “High Stake Target Lo Tech Attack” with Bill Gardner and Kevin Cordle that went over the power grid from a lineman’s point of view with background information that very practical and eye opening for someone who just knew a little bit about the grid.  I knew that I have been doing Citrix and VMware VDI consulting for over 9 years and over 10 years as a customer and I wanted to do what I could to shed some light on my expertise just like Bill and Kevin back then.  When you work with large companies 90% of them will have Citrix or VMware VDI solutions and knowing some of the components can help you on your PenTest.
  • 4. WhoAmI?  Noob, Patrick Coble, 2x Father, Nerd, Hacker, Trainer, Speaker, Meme User, PowerPoint Clicker and Citrix CTA (69 in the World)  I have been working with computers since 1988 and started hacking in the early AOL days. I started working in the IT industry in 1997 and joined the Marine Corps where he worked within the Intelligence field on computers. Upon finishing his time in the Marine Corps, I have worked in the security industry, specifically within Healthcare, and later joined a reseller before starting his own company in 2016.  Patrick Founded a Security Consulting Company in 2016 to close the gap in local and personal security and IT consulting for Small Businesses and Individuals. I still do EUCVDI Consulting for large companies. VDISecurity.org
  • 5. Who cares about VDI? 90% of Fortune 1000 Companies have a VDI Deployment. A HACKERS SUMMARY
  • 6. VDI Simple Formula  VDI is a crazy IT Jargon just like Cloud, Big Data, Virtualized, Software Defined and many others. But most people agree it stands for Virtual Desktop Infrastructure.  VDI was very clear product offering back in 2007 , but now over the years the two big vendors have included application virtualization and mobile device management also.  It provides a centralized application delivery method.  Run Desktop or Server OS’s are Desktops or just Published Applications  Access Applications or Desktop from Anywhere.  NVIDIA GRID, Intel Iris Pro-Graphics, AMD MxGPU for Graphics Virtualization for high end graphics.
  • 7. Company Info & Major Versions Horizon  VMware Founded, 1998  VMware 2016, 5.62 Billion  First Version 2.0, January 2008  Major Release Family  3.0, 4.0, 5.0  6.0  7.0-7.2 XenDesktop  Citrix Founded, 1989  Citrix 2016, 3.42 Billion  First Version 2.0, October 2007  Major Release Family  2.0, 3.0, 4.0  5.0, 5.6  7.0-7.15
  • 8. VDI Basic Components Endpoint Front End Web Services Broker Virtual Desktop App Server Imaging Method Agent
  • 9. Citrix VDI Basic Components Endpoint StoreFront Delivery Controller Virtual Desktop App Server Provisioning Server MCS (Linked Clone) Agent NetScaler Gateway
  • 10. VMware VDI Basic Components Endpoint Security Servers Connectinon Server Virtual Desktop App Server Linked Clone (Composer) Instant Clone Agent F5 Load Balancer or APM Access Point Unified Access Gateway
  • 11. Architecture Components VMware Horizon  2x vCenter, 2x PSC  2x Unified Access Gateway (LB)  2x Connection Servers (LB)  2x SQL Databases (Site + Event Logging)  RDS or VDI Workloads  MS Licensing (RDS, VDA, SQL, Datacenter)  DHCP, KMS Citrix XenApp and XenDesktop  2x vCenter, 2x PSC  2x StoreFront Servers(LB)  2x Delivery Controllers (LB)  2x SQL Databases (Site + Event Logging)  1x License Server  RDS or VDI Workloads  MS Licensing (RDS, VDA, SQL, Datacenter)  DHCP, KMS
  • 12. Horizon Role Overview VMware Horizon Architecture Load Balancers ENDPOINTS SQL Mirror NAS-CTXSQL1 NAS-CTXSQL2 NAS-CTXSQL3 Active Directory NAS-ADC-01 NAS-ADC-02 Firewall 2 Router 2 WAN Firewall 1 Router 1 LAN Virtual Desktops Entitlements 1 Image 2vCPU, 4 GB RAM Virtual Desktops Pooled Desktop X Desktops Unified Access Gateway NAS-VIEWUAG-02NAS-VIEWUAG-01 View Connection Servers NAS-VIEWCS-02NAS-VIEWCS-01 F5 APM F5 APM NAS-PSC-01 NAS-PSC-02 vCenter PSC NAS-VC-01 NAS-VC-02 Desktop vCenter SAN StorageServers SLOT 1 SLOT 5 SLOT 3 SLOT 7 SLOT 2 SLOT 6 SLOT 4 SLOT 8 ! UCS 5108 OK FAIL OK FAIL OK FAIL OK FAIL ! ResetConsole UCS B200 M3 ! ResetConsole UCS B200 M3 ! ResetConsole UCS B200 M3 ! ResetConsole UCS B200 M3 ! ResetConsole UCS B200 M3 ! ResetConsole UCS B200 M3 ! ResetConsole UCS B200 M3 ! ResetConsole UCS B200 M3 ESX
  • 13. XenDesktop Overview Provisioning Servers XenDesktop and XenApp Architecture SAN StorageServers ENDPOINTS SQL Mirror NAS-CTXSQL1 NAS-CTXSQL2 NAS-CTXSQL3 Active Directory NAS-ADC-01 NAS-ADC-02 Citrix License Server NAS-CTXLIC NAS-CTXPVS1 NAS-CTXPVS2 SLOT 1 SLOT 5 SLOT 3 SLOT 7 SLOT 2 SLOT 6 SLOT 4 SLOT 8 ! UCS 5108 OK FAIL OK FAIL OK FAIL OK FAIL ! ResetConsole UCS B200 M3 ! ResetConsole UCS B200 M3 ! ResetConsole UCS B200 M3 ! ResetConsole UCS B200 M3 ! ResetConsole UCS B200 M3 ! ResetConsole UCS B200 M3 ! ResetConsole UCS B200 M3 ! ResetConsole UCS B200 M3 ESX Desktop Delivery Controllers NAS-CTXDC1 NAS-CTXDC2 Firewall 2 Router 2 WAN Firewall 1 Router 1 LAN StoreFront Server Servers NAS-CTXWEB1 NAS-CTXWEB2 Load Balancers F5 APM F5 APM Virtual Desktops Entitlements 1 Image 2vCPU, 4 GB RAM Virtual Desktops Pooled Desktop X Desktops NAS-PSC-01 NAS-PSC-02 vCenter PSC NAS-VC-01 NAS-VC-02 Desktop vCenter
  • 17. VMware Management Consoles – vROPs (HTTPS)
  • 22. Citrix Management Consoles – Director (HTTPS)
  • 23. Citrix Management Consoles – UniDesk (Layering)
  • 24. Citrix XenDesktop and XenApp Overview  NetScaler Load Balancer Load Balances, SSL Offload and in some cases is also a Application Firewall and SAML IDP or SP.  NetScaler Unified Gateway This proxies connections from SSL to ICA  Citrix StoreFront This is the Web front end that users use  Citrix Delivery Controller This is the broker and the where the main Management Console is ”Citrix Studio”  Citrix Provisioning Services This server is responsible for Image management if it is used, it streams the OS in a UDP stream to a target device (MAC Address)  Citrix Virtual Desktop Agent This Agent runs on each Desktop or Server OS and talks to the Delivery Controller  Citrix License Server It’s a License Server
  • 25. VMware Horizon Overview  Access Point This is used to Proxy PCoIP, RDP, Blast, Blast Extreme Protocols over SSL. Appliance  Security Server This is used to Proxy PCoIP, RDP, Blast, Blast Extreme Protocols over SSL. Windows Box  Connection Server This is the broker and the where the main Management Console over Port 443  vCenterComposer This is used if the older image management version Linked Clones is used. It is normally installed on a vCenter Server.  Horizon Agent This Agent runs on each Desktop or Server OS and talks to the Connection Server
  • 26. VDI – Common Attack Methods  Phish, Phish and Phish ( There are lot of deployments that use these technologies to publish Outlook or a Web Browser)  The most common published application in “Internet Explorer” which in many cases is because App X won’t run on IE 6, 7, 8, 10. Some of the biggest deployments in DOD were for IE6 virtualization to bridge the gap in compatibility.  Getting in from the outside is tough but it is possible. You have to find someone on unpatched systems of a couple years old to get through that front door. There are some Unicorns out there where 1494, 3389 are punched open then just like any windows box if you ain’t patching it someone's gettin in.  There are lot of CVEs that become VDI related from Microsoft for the Server and VDI OS along with some from Citrix and VMware that come up but no one rights exploits (There is a one I would love to help write but I’m a noob)
  • 27. VDI Default Policy's  Citrix and VMware both have default policies that can allow data exfiltration and most admins do not change them.  CopyPaste (Most Common)  Drive Mapping (Local, Network)  USB Mapping (Disabled by Default on both)  Applying Policies to the right groups is another common mistake.
  • 28. VDI - Recon  External Scans, When your doing DNS and HTTPHTTPS Sweeps you can look for some of following screenshots when your scanning through their domain.  Knowing they have VDI is also a good way to adjust some of your Phishing Tactics for Citrix Receiver, Horizon Client upgrades are needed for security. (Repackage the MSIs with your Payload and live the dream, You can use SET to clone their Portal Page for credential harvesting.)  If you spot some of these wild ports between these two systems in a scan you know what your dealing with.  If someone has Citrix or VMware in most cases there most important application is installed in it.
  • 29. VDI – Recon – 80443 StoreFront Web Interface 5.4 Usually Internal Only, But sometimes they are out in the real world. StoreFront 3.x
  • 30. VDI – Recon – 80443 StoreFront StoreFront 2.0 Usually Internal Only, But sometimes they are out in the real world.
  • 31. VDI – Recon – 80443 Web Interface Web Interface 5.4 Usually Internal Only, But sometimes they are out in the real world.
  • 32. VDI – Recon – 80443 Web Interface Web Interface 4.6 Usually Internal Only, But sometimes they are out in the real world.
  • 33. VDI – Recon – 80443 NetScaler Gateway NetScaler Gateway 11.1-12.x+ X1 Theme
  • 34. VDI – Recon – 80443 NetScaler Gateway NetScaler Gateway 11.0 Greenbubble Theme
  • 35. VDI – Recon – 80443 NetScaler Gateway NetScaler Gateway 10.0 Caxton Theme
  • 36. VDI – Recon – 80443 NetScaler Admin NetScaler 11.1-12.x When you see this you have found the NSIP which is the management IP of the NetScaler. Note: Most are default and are HTTP. Default UNPW nsroot nsroot
  • 37. VDI – Recon – 80443 NetScaler Admin NetScaler 10.5-11.0 When you see this you have found the NSIP which is the management IP of the NetScaler. Note: Most are default and are HTTP. Default UNPW nsroot nsroot
  • 38. VDI – Recon – 80443 NetScaler Admin NetScaler 10.0 When you see this you have found the NSIP which is the management IP of the NetScaler. Note: Most are default and are HTTP. Default UNPW nsroot nsroot
  • 39. VDI – Recon – VMware Connection Server View 7.x
  • 40. VDI – Recon – VMware Connection Server View 6.x
  • 41. VDI – Recon – VMware Connection Server View 5.x
  • 42. VDI – Recon – VMware User Portal View 6.x View 7.x
  • 43. VDI – Recon – VMware User Portal View 6.x
  • 44. VDI – Recon – VMware User Portal View 5.x
  • 45. VDI – Recon – Horizon Ports 445TCP Configuring and publishing View Composer packages to the Transfer Server repository network share 5500TCP 2-Factor Authentication 4002TCP JMS (Secure) 4500TCP NAT-T ISAKMP (UDP) 8443TCP TCP 22443TCP TCP 22443UDP UDP 3091TCP Java RMI 3092TCP Java RMI 3093TCP Java RMI 3094TCP Java RMI 3099TCP Java RMI 3100TCP Java RMI 3101TCP Java RMI 8443TCP HTTPS or Blast 9427TCP MMR ore CDR (TCP) 22443TCP HTTPS (TCP) 4001TCP JMS 4100TCP JMSIR 80TCP HTTP 443TCP HTTPS 4172TCP PCoIP TCP 4172UDP PCoIP UDP 3389TCP RDP 18443TCP HTTPS 9427TCP MMR 8009TCP AJP13 4002TCP JMS 500UDP IPSec (UDP) 4500UDP NAT-T ISAKMP (UDP) TCP ESP (IP Protocol 50) 32111TCP USB Redirection 42966TCP HP RGS 902TCP Disk Transfers
  • 46. VDI - Recon - Citrix Ports Type Port TCP 49752 TCP 8284 TCP 8286 TCP 8285 TCP 27000 TCP 8287 TCP 2512 TCP 1433 TCP 1434 TCP 445 TCP 80/443 TCP 135 TCP 443 TCP 8443 TCP/UDP 1801 UDP 6890-6909 UDP 67 / 4011 UDP 69 UDP 6910 UDP 6910– 6930 TCP 54321-54323 TCP 1494 TCP 2598 TCP 8008 UDP 16500-16509 TCP 2513 TCP 80/8080/443 TCP 8082 TCP 80/443/8200 TCP/UDP 389
  • 47. VDI Common Google Dorks (inurl:"https://)  Citrix  VDI  Portal  Access  Gateway  Apps and App  Remote  Horizon  View  Desktop
  • 48. VDI – Googline inurl:"https://vdi"
  • 49. VDI – Googline inurl:"https://citrix"
  • 50. VDI – Pivoting  Once your in you need to find the Citrix or VMware Admin Groups, if you get a Domain Admin in most deployments they are setup as admins on the system for ease of administration depending on how the company operationally supports the deployment and how big and mature their IT department is.  As you will see in the next 4 quick slides there are not a lot of Exploits written for Citrix or VMware based on the number of CVEs they have. You always have Windows.  Windows and its Vulns is your pivot along with Social Engineering is the way to Pivot in and out of the Citrix deployment.  Brute Forcing on the Login Pages in most cases is totally possible and in many cases may not raise any flags because they are seldom monitored in many deployments (3-10 Per 15 minutes). Citrix with it’s NetScaler as a possible front door do have Rate Limiting and WAF features that are able to be turned on but seldom deployed and on the VMware side I haven’t seen a deployment yet that has alerts setup for either of their front door solutions.
  • 51. Citrix CVEs -174 Name Description CVE-2017- 9231 XML external entity (XXE) vulnerability in Citrix XenMobile Server 9.x and 10.x before 10.5 RP3 allows attackers to obtain sensitive information via unspecified vectors. CVE-2017- 7219 A heap overflow vulnerability in Citrix NetScaler Gateway versions 10.1 before 135.8/135.12, 10.5 before 65.11, 11.0 before 70.12, and 11.1 before 52.13 allows a remote authenticated attacker to run arbitrary commands via unspecified vectors. CVE-2017- 6316 Citrix NetScaler SD-WAN devices through v9.1.2.26.561201 allow remote attackers to execute arbitrary shell commands as root via a CGISESSID cookie. On CloudBridge (the former name of NetScaler SD-WAN) devices, the cookie name was CAKEPHP rather than CGISESSID. CVE-2017- 5933 Citrix NetScaler ADC and NetScaler Gateway 10.5 before Build 65.11, 11.0 before Build 69.12/69.123, and 11.1 before Build 51.21 randomly generates GCM nonces, which makes it marginally easier for remote attackers to obtain the GCM authentication key and spoof data by leveraging a reused nonce in a session and a "forbidden attack," a similar issue to CVE- 2016-0270. CVE-2017- 5573 An issue was discovered in Linux Foundation xapi in Citrix XenServer through 7.0. An authenticated read-only administrator can cancel tasks of other administrators. CVE-2017- 5572 An issue was discovered in Linux Foundation xapi in Citrix XenServer through 7.0. An authenticated read-only administrator can corrupt the host database. CVE-2017- 5571 Open redirect vulnerability in the lmadmin component in Flexera FlexNet Publisher (aka Flex License Manager) 11.14.1 and earlier, as used in Citrix License Server for Windows and the Citrix License Server VPX, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. CVE-2016- 9680 Citrix Provisioning Services before 7.12 allows attackers to obtain sensitive information from kernel memory via unspecified vectors. CVE-2016- 9679 Citrix Provisioning Services before 7.12 allows attackers to execute arbitrary code by overwriting a function pointer.
  • 52. VMware Horizon CVEs -16 CVE-2017-4918 VMware Horizon View Client (2.x, 3.x and 4.x prior to 4.5.0) contains a command injection vulnerability in the service startup script. Successful exploitation of this issue may allow unprivileged users to escalate their privileges to root on the Mac OSX system where the client is installed. CVE-2017-4913 VMware Workstation (12.x prior to 12.5.3) and Horizon View Client (4.x prior to 4.4.0) contain an integer-overflow vulnerability in the True Type Font parser in the TPView.dll. On Workstation, this may allow a guest to execute code or perform a Denial of Service on the Windows OS that runs Workstation. In the case of a Horizon View Client, this may allow a View desktop to execute code or perform a Denial of Service on the Windows OS that runs the Horizon View Client. Exploitation is only possible if virtual printing has been enabled. This feature is not enabled by default on Workstation but it is enabled by default on Horizon View. CVE-2017-4912 VMware Workstation (12.x prior to 12.5.3) and Horizon View Client (4.x prior to 4.4.0) contain multiple out-of-bounds read vulnerabilities in TrueType Font (TTF) parser in the TPView.dll. On Workstation, this may allow a guest to execute code or perform a Denial of Service on the Windows OS that runs Workstation. In the case of a Horizon View Client, this may allow a View desktop to execute code or perform a Denial of Service on the Windows OS that runs the Horizon View Client. Exploitation is only possible if virtual printing has been enabled. This feature is not enabled by default on Workstation but it is enabled by default on Horizon View. CVE-2017-4911 VMware Workstation (12.x prior to 12.5.3) and Horizon View Client (4.x prior to 4.4.0) contain multiple out-of-bounds write vulnerabilities in JPEG2000 parser in the TPView.dll. On Workstation, this may allow a guest to execute code or perform a Denial of Service on the Windows OS that runs Workstation. In the case of a Horizon View Client, this may allow a View desktop to execute code or perform a Denial of Service on the Windows OS that runs the Horizon View Client. Exploitation is only possible if virtual printing has been enabled. This feature is not enabled by default on Workstation but it is enabled by default on Horizon View. CVE-2017-4909 VMware Workstation (12.x prior to 12.5.3) and Horizon View Client (4.x prior to 4.4.0) contain a heap buffer-overflow vulnerability in TrueType Font (TTF) parser in the TPView.dll. On Workstation, this may allow a guest to execute code or perform a Denial of Service on the Windows OS that runs Workstation. In the case of a Horizon View Client, this may allow a View desktop to execute code or perform a Denial of Service on the Windows OS that runs the Horizon View Client. Exploitation is only possible if virtual printing has been enabled. This feature is not enabled by default on Workstation but it is enabled by default on Horizon View. CVE-2017-4908 VMware Workstation (12.x prior to 12.5.3) and Horizon View Client (4.x prior to 4.4.0) contain multiple heap buffer-overflow vulnerabilities in JPEG2000 parser in the TPView.dll. On Workstation, this may allow a guest to execute code or perform a Denial of Service on the Windows OS that runs Workstation. In the case of a Horizon View Client, this may allow a View desktop to execute code or perform a Denial of Service on the Windows OS that runs the Horizon View Client. Exploitation is only possible if virtual printing has been enabled. This feature is not enabled by default on Workstation but it is enabled by default on Horizon View. CVE-2017-4907 VMware Unified Access Gateway (2.5.x, 2.7.x, 2.8.x prior to 2.8.1) and Horizon View (7.x prior to 7.1.0, 6.x prior to 6.2.4) contain a heap buffer-overflow vulnerability which may allow a remote attacker to execute code on the security gateway. CVE-2017-4897 VMware Horizon DaaS before 7.0.0 contains a vulnerability that exists due to insufficient validation of data. An attacker may exploit this issue by tricking DaaS client users into connecting to a malicious server and sharing all their drives and devices. Successful exploitation of this vulnerability requires a victim to download a specially crafted RDP file through DaaS client by clicking on a malicious link. CVE-2016-7087 Directory traversal vulnerability in the Connection Server in VMware Horizon View 5.x before 5.3.7, 6.x before 6.2.3, and 7.x before 7.0.1 allows remote attackers to obtain sensitive information via unspecified vectors.
  • 53. Citrix Exploits Date Title Platform Author 2017-07- 19 Citrix CloudBridge - 'CAKEPHP' Cookie Command Injection CGI xort 2016-11- 02 Citrix Receiver/Receiver Desktop Lock 4.5 - Authentication Bypass Multiple Rithwik Jay... 2015-03- 19 Citrix Command Center - Credential Disclosure XML Han Sahin 2015-03- 19 Citrix Nitro SDK - Command Injection Linux Han Sahin 2015-03- 12 Citrix Netscaler NS10.5 - WAF Bypass (Via HTTP Header Pollution) XML BGA Security 2014-11- 06 Citrix Netscaler SOAP Handler - Remote Code Execution (Metasploit) BSD Metasploit 2012-06- 01 Citrix Provisioning Services 5.6 SP1 - Streamprocess Opcode 0x40020004 Buffer Overflow... Windows Metasploit
  • 54. VMware Exploits Date Title Platform Author 2017-07- 18 Hashicorp vagrant-vmware-fusion < 4.0.20 - Local Root Privilege Escalation macOS Mark Wadham 2017-06- 10 VMware vSphere Data Protection 5.x/6.x - Java Deserialization Multiple Kelly Correll 2017-06- 08 VMware Workstation 12 Pro - Denial of Service Windows Borja Merino 2017-05- 22 VMware Workstation for Linux 12.5.2 build-4638234 - ALSA Config Host Root Privilege... Linux Google Secu... 2016-09- 19 VMware Workstation - 'vprintproxy.exe' JPEG2000 Images Multiple Memory Corruptions Windows Google Secu... 2016-09- 19 VMware Workstation - 'vprintproxy.exe' TrueType NAME Tables Heap Buffer Overflow Windows Google Secu... 2016-08- 06 VMware Host Guest Client Redirector - DLL Side Loading (Metasploit) Windows Metasploit 2015-06- 12 Escaping VMware Workstation through COM1 Papers Google Secu... 2014-11- 06 VMware Workstations 10.0.0.40273 - 'vmx86.sys' Arbitrary Kernel Read Win_x86 KoreLogic 2013-10-14VMware Hyperic HQ Groovy Script-Console - Java Execution (Metasploit) Multiple Metasploit 2013-08- 29 VMware - Setuid VMware-mount Unsafe popen(3) (Metasploit) Linux Metasploit
  • 55. VDI – Securing It  Keeping it Patched is the biggest battle, it only takes one box.  Optimize the image to turn off unused features.  Run some form of AV (For years when the devices were provisioned and or Non-Persistent it was recommended not to install it, due to overhead). Most common finding  Securing the Policies to make sure data cannot leave the session in a way you don’t want it to. DLP for VDI  Use AppLocker or other AV Systems to Whitelist applications to ensure other applications cannot be launched.  Windows Firewall, IPsec, Microsegmentation  Replace Default SSL Certificates and use SSL Certificates Everywhere.
  • 56. Citrix Security Innovations Citrix Analytics WHAT THEY ARE DOING TO MAKE IT MORE SECURE
  • 57.
  • 58.
  • 59. VMware Security Innovations NSX WHAT THEY ARE DOING TO MAKE IT MORE SECURE
  • 60. Why do breaches still occur? Data Center Perimeter Today’s data centers are protected by strong perimeter defense… But threats and exploits still infect servers. Low- priority systems are often the target. Threats can lie dormant, waiting for the right moment to strike. Server-server traffic growth has outpaced client-server traffic. The attack spreads and goes unnoticed. Possibly after months of reconnaissance, the infiltration relays secret data to the attacker. Attacks spread inside the data center, where internal controls are often weak. Critical systems are targeted. 10110100110 101001010000010 1001110010100
  • 61. Problem: Data Center Network Security  Perimeter-centric network security has proven insufficient, and micro-segmentation is operationally infeasible Little or no lateral controls inside perimeter Internet Internet Insufficient Operationally Infeasible
  • 62. Micro-segmentation simplifies network security  Each VM can now be its own perimeter  Policies align with logical groups  Prevents threats from spreading App DMZ Services DB Perimeter firewall AD NTP DHCP DNS CERT Inside firewall Finance EngineeringHR
  • 63. VDISecurity.Org  At this Site you will see things from two perspectives  VDI Admin, How to Secure It  Security Nerds, How to do Recon, Get In and Pivot  I have a couple blog posts ready to roll out but just have to wrap up a couple things. I have been slacking.

Hinweis der Redaktion

  1. VMware View 3.1.3 (May 5, 2010) VMware View 4 (November 9, 2009) VMware View 4.0.2 (September 15, 2010) VMware View 4.5 (September 9, 2010) VMware View 4.6 (February 24, 2011) VMware View 4.6.1 (March 15, 2012) VMware View 4.6.2 (December 11, 2012) VMware View 4.6.3 (March 7, 2013) VMware View 5.0 (September 8, 2011) VMware View 5.0.1 (March 15, 2012) VMware View 5.1 (May 16, 2012) VMware View 5.1.1 (August 16, 2012) VMware View 5.1.2 (December 13, 2012) VMware View 5.1.3 (March 14, 2013) VMware View 5.2 (October 4, 2012) VMware View 5.3 (November 21, 2013) VMware View 5.3.1 (March 11, 2014) VMware View 5.3.2 (June 24, 2014) VMware View 5.3.3 (November 25, 2014) VMware View 5.3.4 (March 17, 2015) VMware Horizon 6.0 (June 19, 2014) VMware Horizon 6.0.1 (September 9, 2014) VMware Horizon 6.0.2 (December 9, 2014) VMware Horizon 6.1 (March 12, 2015) VMware Horizon 6.1.1 (June 4, 2015) VMware Horizon 6.2 (September 3, 2015)
  2. Let’s take a look at the screen of the Citrix Analytics Service delivered in the cloud. This is showcasing the end user behavior. An IT or security professional can easily spot that one of the users, Mary Smith, has exceeded her risk factor and threshold, and she's been quarantined.
  3. IT can drill down and look at what's been going on in her environment, the time frame, the events that have been happening and how the risk profile has been coming up through unsanctioned access, coming into the network from different places, from downloading too much data, which is unusual. All of that led the system to the conclusion that this particular user needs to be quarantined. However all of this is flexible and completely customizable because we know that, in the land of security analytics, having full visibility into what's going on in your environment is critical for provisioning the right level of access and control.
  4. It’s important to understand the challenge micro-segmentation solves, because it’s one that has been know but not solvable in reality until now. If we look at all the well publicized attacks over the last couple of years, Target, Home Depot, Sony and more they all were different from a hacker code perspective, but they all had one thing in common…once the threat got through the perimeter defense, whether through the firewall or from the inside…there was little of no lateral controls to keep the threat from moving from server to server until it found what it was looking for and started pumping out credit card numbers or other private information   Nirvana to most security teams is “micro-segmentation” or a “zero-trust” approach. However, even if your company can afford the capital expense for enough firewalls to deliver the throughput capacity required to achieve high availability micro-segmentation for East-West traffic in your data center, the operational complexity of managing changes, VM movement, policy granularity, unsustainable policy table changes across all of these firewalls quickly becomes operationally infeasible.