SlideShare una empresa de Scribd logo
1 de 18
Descargar para leer sin conexión
Got Citrix? Hack IT!




             Shanit Gupta
         February 16, 2008
Who Am I?

►Senior Security Consultant – Foundstone
 Professional Services
►Code Review / Threat Modeling / Application
 Security
►Masters from Carnegie Mellon




                                           www.foundstone.com
Company Overview

► Founded in 1999 (Acquired by McAfee Inc. in 2004)
► Foundstone Professional Services Offices
    ■   Mission Viejo, CA
    ■   Washington, DC
    ■   New York City, NY
    ■   Atlanta, GA
    ■   Dallas, TX
    ■   Seattle, WA
    ■   Footprint World Wide via
        McAfee (now)
► Customers:
    ■   Fortune 500 focused
    ■   Financial Services,
        Insurance, Technology,
        Telecomm, Government, etc.
► Core Proposition
    ■   Foundstone offers a unique combination of software, services, and education to help
        companies continuously and measurably protect the most important assets from
        critical threats




                                                                                          www.foundstone.com
Agenda

► Background
► Demo 1: Kiosk Mode
► Demo 2: Unauthenticated Access
► Demo 3: (Un)Hidden Hotkeys
► Demo 4: Restricted Desktop Access
► Demo 5: Attack Microsoft Office
► Remediation Measures



                                      www.foundstone.com
What / How do I know about Citrix?




                                www.foundstone.com
False Sense of Security




                          www.foundstone.com
Demo1: Kiosk Mode




                    www.foundstone.com
Demo1: Kiosk Mode (Attack Vectors)

►   Ctrl + h – View History
►   Ctrl + n – New Browser
►   Shift + Left Click – New Browser
►   Ctrl + o – Internet Address (browse feature)
►   Ctrl + p – Print (to file)
►   Right Click (Shift + F10)
    ■ Save Image As
    ■ View Source
► F1 – Jump to URL…
► Browse to
 http://download.insecure.org/nmap/dist/nmap-4.53-
 setup.exe


                                                     www.foundstone.com
I Hope You Are Patching ☺




 *Source: http://secunia.com
                               www.foundstone.com
Demo 2: Unauthenticated Access

► 9 publicly accessible exploits 2007 – 08
► Particularly interesting
  ■ Citrix Presentation Server IMA Service Buffer
    Overflow Vulnerability
  ■ Social Engineering: Malicious ICA files




                                                    www.foundstone.com
Demo 2: Unauthenticated Access

► Good Old Brute Force
  ■ One account is all you need
  ■ I am sure you are using 2 factor authentication ;-)




                                                      www.foundstone.com
Demo3: (Un)Hidden Hotkeys

► SHIFT+F1: Local Task List
► SHIFT+F2: Toggle Title Bar
► SHIFT+F3: Close Remote Application
► CTRL+F1: Displays Windows Security Desktop –
  Ctrl+Alt+Del
► CTRL+F2: Remote Task List
► CTRL+F3: Remote Task Manager – Ctrl+Shift+ESC
► ALT+F2: Cycle through programs
► ALT+PLUS: Alt+TAB
► ALT+MINUS: ALT+SHIFT+TAB

                                              www.foundstone.com
Demo4: Restricted Desktop




                            www.foundstone.com
Demo4: Restricted Desktop

►Shortcut to C:
►Create Batch File
  ■ CMD.exe
►Host Scripting File (filename.vbs)
  ■ Set objApp = CreateObject("WScript.Shell")
  ■ objApp.Run “CMD C:“




                                                 www.foundstone.com
Demo5: Attack Microsoft Office

►File->Save As
  ■ Browse Files and Launch CMD.exe
►Press F1
  ■ Search Microsoft
  ■ Click Suites Home Page
► Macros
  ■ Remote Shell
  ■ Privilege Escalation



                                         www.foundstone.com
Remediation Strategies

►1300 different registry settings
►It is HARD!




                                    www.foundstone.com
Remediation Strategies

►Lock Down Tools
  ■ Commercial
  ■ Freeware
  ■ http://updates.zdnet.com/tags/lockdown.html




                                                  www.foundstone.com
Questions or Concerns?




                         www.foundstone.com

Más contenido relacionado

Similar a Got citrix hack it

Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis   ...Or am I "Cuckoo for Malware?"Introduction to Dynamic Malware Analysis   ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Lane Huff
 
Deception Driven Defense - Infragard 2016
Deception Driven Defense - Infragard 2016Deception Driven Defense - Infragard 2016
Deception Driven Defense - Infragard 2016Greg Foss
 
Practical Encryption Tips and Tools
Practical Encryption Tips and ToolsPractical Encryption Tips and Tools
Practical Encryption Tips and ToolsHeidi Alexander
 
[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들
[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들
[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들GangSeok Lee
 
Drupal Camp Bristol 2017 - Website insecurity
Drupal Camp Bristol 2017 - Website insecurityDrupal Camp Bristol 2017 - Website insecurity
Drupal Camp Bristol 2017 - Website insecurityGeorge Boobyer
 
Derbycon 2017: Hunting Lateral Movement For Fun & Profit
Derbycon 2017: Hunting Lateral Movement For Fun & ProfitDerbycon 2017: Hunting Lateral Movement For Fun & Profit
Derbycon 2017: Hunting Lateral Movement For Fun & ProfitMauricio Velazco
 
Cyber_Security_Seminar_PPTs_to Upload.pptx
Cyber_Security_Seminar_PPTs_to Upload.pptxCyber_Security_Seminar_PPTs_to Upload.pptx
Cyber_Security_Seminar_PPTs_to Upload.pptxDrMajidMumtaz
 
Ple18 web-security-david-busby
Ple18 web-security-david-busbyPle18 web-security-david-busby
Ple18 web-security-david-busbyDavid Busby, CISSP
 
Protecting Your organization from WannaCry Ransomware
Protecting Your organization from WannaCry RansomwareProtecting Your organization from WannaCry Ransomware
Protecting Your organization from WannaCry RansomwareQuick Heal Technologies Ltd.
 
Hands-On Security - ES Guided Tour
Hands-On Security - ES Guided TourHands-On Security - ES Guided Tour
Hands-On Security - ES Guided TourSplunk
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedfangjiafu
 
Hacking and cracking
Hacking and crackingHacking and cracking
Hacking and crackingDeepak kumar
 
Bsides NYC 2018 - Hunting for Lateral Movement
Bsides NYC 2018 - Hunting for Lateral MovementBsides NYC 2018 - Hunting for Lateral Movement
Bsides NYC 2018 - Hunting for Lateral MovementMauricio Velazco
 
Disruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptxDisruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptxDebra Baker, CISSP CSSP
 

Similar a Got citrix hack it (20)

Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis   ...Or am I "Cuckoo for Malware?"Introduction to Dynamic Malware Analysis   ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
 
Tech w23
Tech w23Tech w23
Tech w23
 
Deception Driven Defense - Infragard 2016
Deception Driven Defense - Infragard 2016Deception Driven Defense - Infragard 2016
Deception Driven Defense - Infragard 2016
 
Practical Encryption Tips and Tools
Practical Encryption Tips and ToolsPractical Encryption Tips and Tools
Practical Encryption Tips and Tools
 
Stu t19 a
Stu t19 aStu t19 a
Stu t19 a
 
[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들
[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들
[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들
 
Drupal Camp Bristol 2017 - Website insecurity
Drupal Camp Bristol 2017 - Website insecurityDrupal Camp Bristol 2017 - Website insecurity
Drupal Camp Bristol 2017 - Website insecurity
 
Derbycon 2017: Hunting Lateral Movement For Fun & Profit
Derbycon 2017: Hunting Lateral Movement For Fun & ProfitDerbycon 2017: Hunting Lateral Movement For Fun & Profit
Derbycon 2017: Hunting Lateral Movement For Fun & Profit
 
Cyber_Security_Seminar_PPTs_to Upload.pptx
Cyber_Security_Seminar_PPTs_to Upload.pptxCyber_Security_Seminar_PPTs_to Upload.pptx
Cyber_Security_Seminar_PPTs_to Upload.pptx
 
Ple18 web-security-david-busby
Ple18 web-security-david-busbyPle18 web-security-david-busby
Ple18 web-security-david-busby
 
Spo2 t19 spo2-t19
Spo2 t19 spo2-t19Spo2 t19 spo2-t19
Spo2 t19 spo2-t19
 
Protecting Your organization from WannaCry Ransomware
Protecting Your organization from WannaCry RansomwareProtecting Your organization from WannaCry Ransomware
Protecting Your organization from WannaCry Ransomware
 
Endpoint is not enough
Endpoint is not enoughEndpoint is not enough
Endpoint is not enough
 
Ht t19
Ht t19Ht t19
Ht t19
 
Hands-On Security - ES Guided Tour
Hands-On Security - ES Guided TourHands-On Security - ES Guided Tour
Hands-On Security - ES Guided Tour
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
 
Hacking and cracking
Hacking and crackingHacking and cracking
Hacking and cracking
 
Bsides NYC 2018 - Hunting for Lateral Movement
Bsides NYC 2018 - Hunting for Lateral MovementBsides NYC 2018 - Hunting for Lateral Movement
Bsides NYC 2018 - Hunting for Lateral Movement
 
Disruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptxDisruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptx
 
Stu w23 b
Stu w23 bStu w23 b
Stu w23 b
 

Último

What is the Future of QuickBooks DeskTop?
What is the Future of QuickBooks DeskTop?What is the Future of QuickBooks DeskTop?
What is the Future of QuickBooks DeskTop?TechSoup
 
How to Add a many2many Relational Field in Odoo 17
How to Add a many2many Relational Field in Odoo 17How to Add a many2many Relational Field in Odoo 17
How to Add a many2many Relational Field in Odoo 17Celine George
 
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptx
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptxPractical Research 1: Lesson 8 Writing the Thesis Statement.pptx
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptxKatherine Villaluna
 
Quality Assurance_GOOD LABORATORY PRACTICE
Quality Assurance_GOOD LABORATORY PRACTICEQuality Assurance_GOOD LABORATORY PRACTICE
Quality Assurance_GOOD LABORATORY PRACTICESayali Powar
 
How to Show Error_Warning Messages in Odoo 17
How to Show Error_Warning Messages in Odoo 17How to Show Error_Warning Messages in Odoo 17
How to Show Error_Warning Messages in Odoo 17Celine George
 
How to Solve Singleton Error in the Odoo 17
How to Solve Singleton Error in the  Odoo 17How to Solve Singleton Error in the  Odoo 17
How to Solve Singleton Error in the Odoo 17Celine George
 
HED Office Sohayok Exam Question Solution 2023.pdf
HED Office Sohayok Exam Question Solution 2023.pdfHED Office Sohayok Exam Question Solution 2023.pdf
HED Office Sohayok Exam Question Solution 2023.pdfMohonDas
 
How to Make a Field read-only in Odoo 17
How to Make a Field read-only in Odoo 17How to Make a Field read-only in Odoo 17
How to Make a Field read-only in Odoo 17Celine George
 
Patient Counselling. Definition of patient counseling; steps involved in pati...
Patient Counselling. Definition of patient counseling; steps involved in pati...Patient Counselling. Definition of patient counseling; steps involved in pati...
Patient Counselling. Definition of patient counseling; steps involved in pati...raviapr7
 
In - Vivo and In - Vitro Correlation.pptx
In - Vivo and In - Vitro Correlation.pptxIn - Vivo and In - Vitro Correlation.pptx
In - Vivo and In - Vitro Correlation.pptxAditiChauhan701637
 
How to Add Existing Field in One2Many Tree View in Odoo 17
How to Add Existing Field in One2Many Tree View in Odoo 17How to Add Existing Field in One2Many Tree View in Odoo 17
How to Add Existing Field in One2Many Tree View in Odoo 17Celine George
 
CAULIFLOWER BREEDING 1 Parmar pptx
CAULIFLOWER BREEDING 1 Parmar pptxCAULIFLOWER BREEDING 1 Parmar pptx
CAULIFLOWER BREEDING 1 Parmar pptxSaurabhParmar42
 
Presentation on the Basics of Writing. Writing a Paragraph
Presentation on the Basics of Writing. Writing a ParagraphPresentation on the Basics of Writing. Writing a Paragraph
Presentation on the Basics of Writing. Writing a ParagraphNetziValdelomar1
 
PISA-VET launch_El Iza Mohamedou_19 March 2024.pptx
PISA-VET launch_El Iza Mohamedou_19 March 2024.pptxPISA-VET launch_El Iza Mohamedou_19 March 2024.pptx
PISA-VET launch_El Iza Mohamedou_19 March 2024.pptxEduSkills OECD
 
Drug Information Services- DIC and Sources.
Drug Information Services- DIC and Sources.Drug Information Services- DIC and Sources.
Drug Information Services- DIC and Sources.raviapr7
 
How to Add a New Field in Existing Kanban View in Odoo 17
How to Add a New Field in Existing Kanban View in Odoo 17How to Add a New Field in Existing Kanban View in Odoo 17
How to Add a New Field in Existing Kanban View in Odoo 17Celine George
 
2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx
2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx
2024.03.23 What do successful readers do - Sandy Millin for PARK.pptxSandy Millin
 
CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...
CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...
CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...Nguyen Thanh Tu Collection
 
Ultra structure and life cycle of Plasmodium.pptx
Ultra structure and life cycle of Plasmodium.pptxUltra structure and life cycle of Plasmodium.pptx
Ultra structure and life cycle of Plasmodium.pptxDr. Asif Anas
 

Último (20)

What is the Future of QuickBooks DeskTop?
What is the Future of QuickBooks DeskTop?What is the Future of QuickBooks DeskTop?
What is the Future of QuickBooks DeskTop?
 
How to Add a many2many Relational Field in Odoo 17
How to Add a many2many Relational Field in Odoo 17How to Add a many2many Relational Field in Odoo 17
How to Add a many2many Relational Field in Odoo 17
 
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptx
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptxPractical Research 1: Lesson 8 Writing the Thesis Statement.pptx
Practical Research 1: Lesson 8 Writing the Thesis Statement.pptx
 
Personal Resilience in Project Management 2 - TV Edit 1a.pdf
Personal Resilience in Project Management 2 - TV Edit 1a.pdfPersonal Resilience in Project Management 2 - TV Edit 1a.pdf
Personal Resilience in Project Management 2 - TV Edit 1a.pdf
 
Quality Assurance_GOOD LABORATORY PRACTICE
Quality Assurance_GOOD LABORATORY PRACTICEQuality Assurance_GOOD LABORATORY PRACTICE
Quality Assurance_GOOD LABORATORY PRACTICE
 
How to Show Error_Warning Messages in Odoo 17
How to Show Error_Warning Messages in Odoo 17How to Show Error_Warning Messages in Odoo 17
How to Show Error_Warning Messages in Odoo 17
 
How to Solve Singleton Error in the Odoo 17
How to Solve Singleton Error in the  Odoo 17How to Solve Singleton Error in the  Odoo 17
How to Solve Singleton Error in the Odoo 17
 
HED Office Sohayok Exam Question Solution 2023.pdf
HED Office Sohayok Exam Question Solution 2023.pdfHED Office Sohayok Exam Question Solution 2023.pdf
HED Office Sohayok Exam Question Solution 2023.pdf
 
How to Make a Field read-only in Odoo 17
How to Make a Field read-only in Odoo 17How to Make a Field read-only in Odoo 17
How to Make a Field read-only in Odoo 17
 
Patient Counselling. Definition of patient counseling; steps involved in pati...
Patient Counselling. Definition of patient counseling; steps involved in pati...Patient Counselling. Definition of patient counseling; steps involved in pati...
Patient Counselling. Definition of patient counseling; steps involved in pati...
 
In - Vivo and In - Vitro Correlation.pptx
In - Vivo and In - Vitro Correlation.pptxIn - Vivo and In - Vitro Correlation.pptx
In - Vivo and In - Vitro Correlation.pptx
 
How to Add Existing Field in One2Many Tree View in Odoo 17
How to Add Existing Field in One2Many Tree View in Odoo 17How to Add Existing Field in One2Many Tree View in Odoo 17
How to Add Existing Field in One2Many Tree View in Odoo 17
 
CAULIFLOWER BREEDING 1 Parmar pptx
CAULIFLOWER BREEDING 1 Parmar pptxCAULIFLOWER BREEDING 1 Parmar pptx
CAULIFLOWER BREEDING 1 Parmar pptx
 
Presentation on the Basics of Writing. Writing a Paragraph
Presentation on the Basics of Writing. Writing a ParagraphPresentation on the Basics of Writing. Writing a Paragraph
Presentation on the Basics of Writing. Writing a Paragraph
 
PISA-VET launch_El Iza Mohamedou_19 March 2024.pptx
PISA-VET launch_El Iza Mohamedou_19 March 2024.pptxPISA-VET launch_El Iza Mohamedou_19 March 2024.pptx
PISA-VET launch_El Iza Mohamedou_19 March 2024.pptx
 
Drug Information Services- DIC and Sources.
Drug Information Services- DIC and Sources.Drug Information Services- DIC and Sources.
Drug Information Services- DIC and Sources.
 
How to Add a New Field in Existing Kanban View in Odoo 17
How to Add a New Field in Existing Kanban View in Odoo 17How to Add a New Field in Existing Kanban View in Odoo 17
How to Add a New Field in Existing Kanban View in Odoo 17
 
2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx
2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx
2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx
 
CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...
CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...
CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...
 
Ultra structure and life cycle of Plasmodium.pptx
Ultra structure and life cycle of Plasmodium.pptxUltra structure and life cycle of Plasmodium.pptx
Ultra structure and life cycle of Plasmodium.pptx
 

Got citrix hack it

  • 1. Got Citrix? Hack IT! Shanit Gupta February 16, 2008
  • 2. Who Am I? ►Senior Security Consultant – Foundstone Professional Services ►Code Review / Threat Modeling / Application Security ►Masters from Carnegie Mellon www.foundstone.com
  • 3. Company Overview ► Founded in 1999 (Acquired by McAfee Inc. in 2004) ► Foundstone Professional Services Offices ■ Mission Viejo, CA ■ Washington, DC ■ New York City, NY ■ Atlanta, GA ■ Dallas, TX ■ Seattle, WA ■ Footprint World Wide via McAfee (now) ► Customers: ■ Fortune 500 focused ■ Financial Services, Insurance, Technology, Telecomm, Government, etc. ► Core Proposition ■ Foundstone offers a unique combination of software, services, and education to help companies continuously and measurably protect the most important assets from critical threats www.foundstone.com
  • 4. Agenda ► Background ► Demo 1: Kiosk Mode ► Demo 2: Unauthenticated Access ► Demo 3: (Un)Hidden Hotkeys ► Demo 4: Restricted Desktop Access ► Demo 5: Attack Microsoft Office ► Remediation Measures www.foundstone.com
  • 5. What / How do I know about Citrix? www.foundstone.com
  • 6. False Sense of Security www.foundstone.com
  • 7. Demo1: Kiosk Mode www.foundstone.com
  • 8. Demo1: Kiosk Mode (Attack Vectors) ► Ctrl + h – View History ► Ctrl + n – New Browser ► Shift + Left Click – New Browser ► Ctrl + o – Internet Address (browse feature) ► Ctrl + p – Print (to file) ► Right Click (Shift + F10) ■ Save Image As ■ View Source ► F1 – Jump to URL… ► Browse to http://download.insecure.org/nmap/dist/nmap-4.53- setup.exe www.foundstone.com
  • 9. I Hope You Are Patching ☺ *Source: http://secunia.com www.foundstone.com
  • 10. Demo 2: Unauthenticated Access ► 9 publicly accessible exploits 2007 – 08 ► Particularly interesting ■ Citrix Presentation Server IMA Service Buffer Overflow Vulnerability ■ Social Engineering: Malicious ICA files www.foundstone.com
  • 11. Demo 2: Unauthenticated Access ► Good Old Brute Force ■ One account is all you need ■ I am sure you are using 2 factor authentication ;-) www.foundstone.com
  • 12. Demo3: (Un)Hidden Hotkeys ► SHIFT+F1: Local Task List ► SHIFT+F2: Toggle Title Bar ► SHIFT+F3: Close Remote Application ► CTRL+F1: Displays Windows Security Desktop – Ctrl+Alt+Del ► CTRL+F2: Remote Task List ► CTRL+F3: Remote Task Manager – Ctrl+Shift+ESC ► ALT+F2: Cycle through programs ► ALT+PLUS: Alt+TAB ► ALT+MINUS: ALT+SHIFT+TAB www.foundstone.com
  • 13. Demo4: Restricted Desktop www.foundstone.com
  • 14. Demo4: Restricted Desktop ►Shortcut to C: ►Create Batch File ■ CMD.exe ►Host Scripting File (filename.vbs) ■ Set objApp = CreateObject("WScript.Shell") ■ objApp.Run “CMD C:“ www.foundstone.com
  • 15. Demo5: Attack Microsoft Office ►File->Save As ■ Browse Files and Launch CMD.exe ►Press F1 ■ Search Microsoft ■ Click Suites Home Page ► Macros ■ Remote Shell ■ Privilege Escalation www.foundstone.com
  • 16. Remediation Strategies ►1300 different registry settings ►It is HARD! www.foundstone.com
  • 17. Remediation Strategies ►Lock Down Tools ■ Commercial ■ Freeware ■ http://updates.zdnet.com/tags/lockdown.html www.foundstone.com
  • 18. Questions or Concerns? www.foundstone.com