nullcon 2010 - the evil karmetasploit upgrade
DESCRIPTION
nullcon 2010 - The evil karmetasploit upgrade by Veysel OzerTRANSCRIPT
nullcon Goa 2010 http://nullcon.net
Veysel Oezer
The Evil Karmetasploit Upgrade
nullcon Goa 2010 http://nullcon.net
Overview
IntroductionBackgroundTitleRealizationResultsConclusionDemos in between !
nullcon Goa 2010 http://nullcon.net
Introduction
IT SecurityIncreasing attacks
nullcon Goa 2010 http://nullcon.net
Introduction
IT SecurityIncreasing attacks also in Germany
nullcon Goa 2010 http://nullcon.net
Introduction
Know your enemy !”So it is said that if you know your enemies and know yourself, you will fight without danger in battles.
If you only know yourself, but not your opponent, you may win or may lose.
If you know neither yourself nor your enemy, you will always endanger yourself.”
nullcon Goa 2010 http://nullcon.net
Background
The man in the middleThe hacker toolsEvilgradeMetasploitKarma + Karmetasploit
nullcon Goa 2010 http://nullcon.net
The man in the middle attack
nullcon Goa 2010 http://nullcon.net
Known MitM attacks
ARP spoofingDNS spoofingBGP hackingICMP redirect, ...Karma !The evil twin hotspot
nullcon Goa 2010 http://nullcon.net
The hacker tools
Background
nullcon Goa 2010 http://nullcon.net
Evilgrade
Framework for attacking weak update mechanisms”The idea..is the centralization and exploitation of different update impl. all together in one tool”Written in Perl and published 2007-2008Existing ModuleSun JavaApple OS XWinamp, Winzip, Notepad++ and so on.
nullcon Goa 2010 http://nullcon.net
Evilgrade
How does it work
nullcon Goa 2010 http://nullcon.net
Evilgrade
nullcon Goa 2010 http://nullcon.net
Evilgrade
nullcon Goa 2010 http://nullcon.net
Metasploit
Vulnerability development frameworkReduce the work for creating an exploit
Penetration testingSeveral hundert exploits
#5 from top 100 security toolsWritten in Ruby and BSD licensed
"Don't try to teach yourself how to use metasploit under the security camera at the airport"
nullcon Goa 2010 http://nullcon.net
Metasploit architecture
nullcon Goa 2010 http://nullcon.net
Karma
The evil twin access pointMitM attack on WinXp Wireless Zero Configuration...Or just name ”FreeWifi” ;)After MitM, steal authentication dataHttp, Ftp, Pop3, Imap and so on
Released in 2004
nullcon Goa 2010 http://nullcon.net
Karmetasploit
Reimplemantion of Karma into MetasploitFake access point integrated into aircrack-ngAuthentication capturing implemented as auxiliary modules for MetasploitSeveral improvementsBetter hardware supportCookie,Form data stealingBrowser exploitation
nullcon Goa 2010 http://nullcon.net
Goals
Evilgrade 2 MetasploitReimplement functionality as metasploit moduleImprove new system•Port Sharing, Stealth mode, faster metasploit payload generation
Transfer existing evilgrade modules into new system
Create new fake serversSip and XMPP
Find new vulnerabilities in software
nullcon Goa 2010 http://nullcon.net
Fake XMPP
Based on TCPUsed for Jabber → Instant MessagingGoogle Talk...
Has built-in strong security, but depends on server and clientCleartext password transmission possible
nullcon Goa 2010 http://nullcon.net
Fake Sip Server
UDP based protocolRedefined in serveral RFCsAuthentication similar to HTTP DigestChallenge – Response
Try downgrade attack to use Basic Authentication
nullcon Goa 2010 http://nullcon.net
Realisation
EnvironmentsEvilgrade 2 MetasploitAuthentication capturing serversAnalysis of update mechanisms
nullcon Goa 2010 http://nullcon.net
Used tools
WiresharkJacksumVbindiffVmWare WorkstationNetcatGhex
nullcon Goa 2010 http://nullcon.net
Attack Environment
DEMO
nullcon Goa 2010 http://nullcon.net
Realisation E-2-M
nullcon Goa 2010 http://nullcon.net
Fake XMPP
nullcon Goa 2010 http://nullcon.net
Fake Sip Server
nullcon Goa 2010 http://nullcon.net
Analysis
1. Install an old version on the target.
2. Sniff the update process on the attacker.
3. Analyze network communication.
4. If possible, try to simulate the update server.
5. If possible, install latest version on the target.
6. Improve server to be version independent.
7. Improve server to allow to configure options, like the description shown as update information to the client.
nullcon Goa 2010 http://nullcon.net
Results
Fake SIP and XMPP serversReimplementation of EvilgradeAnalysis of update implemenationsNot hackedIndirect hacksHacked
nullcon Goa 2010 http://nullcon.net
Results – fake server
XMPPWorks
SIPDowngrade attack had no successCapturing of Digest Authentication is working
DEMO
nullcon Goa 2010 http://nullcon.net
Results
Evilgrade in MetasploitReimpl. the old functionalityOld modules portedSeveral improvements•All mentioned ones•Anti-virus bypassing for metasploit payloads ( DEMO at the end if time left )
•Some others...
nullcon Goa 2010 http://nullcon.net
Results - Analysis
Not hackeduTorrentAvira Antivir Foxit ReaderVlc uses PGPAd-Aware only one that uses SSLSpybot, AVG Antivir, Comodo Firewall, Picasa, ZoneAlarm, Winrar, flashget, camfrog..
nullcon Goa 2010 http://nullcon.net
Results – Not hacked
Not hacked uTorrent uses binary signed data ?!?
nullcon Goa 2010 http://nullcon.net
Results – Not hacked
Not hackedAvira Antivir
MASTER.IDXCRDATE=20090505_1833<3f76d242c16a5491bfe98540f68c36c9>
nullcon Goa 2010 http://nullcon.net
Results – Not hacked
Foxit Reader and the fzip file format
nullcon Goa 2010 http://nullcon.net
Results - Analysis
Indirect hackSkypeQuicktimeOrbit DownloaderMiranda IM
DEMO
nullcon Goa 2010 http://nullcon.net
Results Analysis
HackedTrillianKerio FirewallSuperAntiSpywareFilezillaGomPlayerDivx Player
nullcon Goa 2010 http://nullcon.net
Trillian update mechanism
Binary update informationCan you read that ?
nullcon Goa 2010 http://nullcon.net
Trillian update mechanism
Binary update information
nullcon Goa 2010 http://nullcon.net
Results - Hacked
DEMO
nullcon Goa 2010 http://nullcon.net
Conclusion
Release candidate of evil karmetasploit upgrade is readyNo need for Evilgrade anymoreSeveral improvements compared to EvilgradeNew authentification capturing serversSeveral weak update implementations found,over 100 million downloads from www.cnet.com
nullcon Goa 2010 http://nullcon.net
Conclusion
Feature list for version 2 SIP downgrade attack on old SIP hardwareFake server XMPP over HTTPImprove design to handle Avira Antivir
Feature list of version 3Advanded stealth mode•Intelligent fake DNS server
Find more vulnerabilites
nullcon Goa 2010 http://nullcon.net
Conclusion
Software developersPlease make secure softwareUse standards and deny weak stuff by default
And for the rest of usBe aware of this attack vectorsDo not install every ”important security update”Do not trust security software by defaultDo not trust the Internet, especially (public) Wifi networks
nullcon Goa 2010 http://nullcon.net
That's it !
Q & A