nullcon 2010 - the evil karmetasploit upgrade

nullcon Goa 2010 http://nullcon.net

Veysel Oezer

The Evil Karmetasploit Upgrade


Overview

IntroductionBackgroundTitleRealizationResultsConclusionDemos in between !


Introduction

IT SecurityIncreasing attacks


Introduction

IT SecurityIncreasing attacks also in Germany


Introduction

Know your enemy !”So it is said that if you know your enemies and know yourself, you will fight without danger in battles.

If you only know yourself, but not your opponent, you may win or may lose.

If you know neither yourself nor your enemy, you will always endanger yourself.”


Background

The man in the middleThe hacker toolsEvilgradeMetasploitKarma + Karmetasploit


The man in the middle attack


Known MitM attacks

ARP spoofingDNS spoofingBGP hackingICMP redirect, ...Karma !The evil twin hotspot


The hacker tools

Background


Evilgrade

Framework for attacking weak update mechanisms”The idea..is the centralization and exploitation of different update impl. all together in one tool”Written in Perl and published 2007-2008Existing ModuleSun JavaApple OS XWinamp, Winzip, Notepad++ and so on.


Evilgrade

How does it work


Evilgrade


Metasploit

Vulnerability development frameworkReduce the work for creating an exploit

Penetration testingSeveral hundert exploits

#5 from top 100 security toolsWritten in Ruby and BSD licensed

"Don't try to teach yourself how to use metasploit under the security camera at the airport"


Metasploit architecture


Karma

The evil twin access pointMitM attack on WinXp Wireless Zero Configuration...Or just name ”FreeWifi” ;)After MitM, steal authentication dataHttp, Ftp, Pop3, Imap and so on

Released in 2004


Karmetasploit

Reimplemantion of Karma into MetasploitFake access point integrated into aircrack-ngAuthentication capturing implemented as auxiliary modules for MetasploitSeveral improvementsBetter hardware supportCookie,Form data stealingBrowser exploitation


Goals

Evilgrade 2 MetasploitReimplement functionality as metasploit moduleImprove new system•Port Sharing, Stealth mode, faster metasploit payload generation

Transfer existing evilgrade modules into new system

Create new fake serversSip and XMPP

Find new vulnerabilities in software


Fake XMPP

Based on TCPUsed for Jabber → Instant MessagingGoogle Talk...

Has built-in strong security, but depends on server and clientCleartext password transmission possible


Fake Sip Server

UDP based protocolRedefined in serveral RFCsAuthentication similar to HTTP DigestChallenge – Response

Try downgrade attack to use Basic Authentication


Realisation

EnvironmentsEvilgrade 2 MetasploitAuthentication capturing serversAnalysis of update mechanisms


Used tools

WiresharkJacksumVbindiffVmWare WorkstationNetcatGhex


Attack Environment

DEMO


Realisation E-2-M


Fake XMPP


Fake Sip Server


Analysis

1. Install an old version on the target.

2. Sniff the update process on the attacker.

3. Analyze network communication.

4. If possible, try to simulate the update server.

5. If possible, install latest version on the target.

6. Improve server to be version independent.

7. Improve server to allow to configure options, like the description shown as update information to the client.


Results

Fake SIP and XMPP serversReimplementation of EvilgradeAnalysis of update implemenationsNot hackedIndirect hacksHacked


Results – fake server

XMPPWorks

SIPDowngrade attack had no successCapturing of Digest Authentication is working

DEMO


Results

Evilgrade in MetasploitReimpl. the old functionalityOld modules portedSeveral improvements•All mentioned ones•Anti-virus bypassing for metasploit payloads ( DEMO at the end if time left )

•Some others...


Results - Analysis

Not hackeduTorrentAvira Antivir Foxit ReaderVlc uses PGPAd-Aware only one that uses SSLSpybot, AVG Antivir, Comodo Firewall, Picasa, ZoneAlarm, Winrar, flashget, camfrog..


Results – Not hacked

Not hacked uTorrent uses binary signed data ?!?



Not hackedAvira Antivir

MASTER.IDXCRDATE=20090505_1833<3f76d242c16a5491bfe98540f68c36c9>



Foxit Reader and the fzip file format


Results - Analysis

Indirect hackSkypeQuicktimeOrbit DownloaderMiranda IM

DEMO


Results Analysis

HackedTrillianKerio FirewallSuperAntiSpywareFilezillaGomPlayerDivx Player


Trillian update mechanism

Binary update informationCan you read that ?


Trillian update mechanism

Binary update information


Results - Hacked

DEMO


Conclusion

Release candidate of evil karmetasploit upgrade is readyNo need for Evilgrade anymoreSeveral improvements compared to EvilgradeNew authentification capturing serversSeveral weak update implementations found,over 100 million downloads from www.cnet.com


Conclusion

Feature list for version 2 SIP downgrade attack on old SIP hardwareFake server XMPP over HTTPImprove design to handle Avira Antivir

Feature list of version 3Advanded stealth mode•Intelligent fake DNS server

Find more vulnerabilites


Conclusion

Software developersPlease make secure softwareUse standards and deny weak stuff by default

And for the rest of usBe aware of this attack vectorsDo not install every ”important security update”Do not trust security software by defaultDo not trust the Internet, especially (public) Wifi networks


That's it !

Q & A

nullcon 2010 - the evil karmetasploit upgrade

Technology

evilgrade nullcongoa2010http

java nullcongoa2010http

germany nullcongoa2010http

fake xmpp nullcongoa2010http

airport nullcongoa2010

demonullcongoa2010 http

2004nullcongoa2010 http

authentication data