ClickOnce is a deployment solution that enables fast, easy delivery of packaged software. It is commonly used by organizations to deploy both internal and production-grade software packages, along with their respective updates. By allowing end-users to accept the requested permissions of the software package without the intervention of an administrator, ClickOnce simplifies the deployment and use of robust software solutions.
It also provides an excellent opportunity for malicious actors to establish a foothold in your network.
In this presentation, we discuss how we combined ClickOnce technology and existing phishing techniques into a new methodology for establishing an initial presence in an environment. By minimizing user interaction, we only require that the user is fooled for “one click” – after that, we already have a foothold in their environment and are ready to pivot and escalate further.
All You Need is One - A ClickOnce Love Story - Secure360 2015
1. Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
All You Need Is One - A ClickOnce
Love Story
Ryan Gandrud
Cody Wass
2. Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
Introduction
• Ryan Gandrud
– Penetration tester
– Computer enthusiast
• Cody Wass
– Web applications
– Scotch aficionado
3. Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
Overview
• ClickOnce?
• Phishing-phriendly pheatures
• Creating a malicious ClickOnce application
• Phishing setup
• Issues and pitfalls
• Demo
• Prevention
4. Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
ClickOnce WTF?
• ClickOnce – What is it?
– ClickOnce is a wrapper that sits
around a Windows executable to
“install” it on a machine
– Used by application administrators to
deploy installations to users in the
network
– Supports multiple deployment methods
(web, network share, local execution)
5. Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
ClickOnce Internals
• ProjectName.application
– Contains the location of the manifest and application version
information
• ProjectName.exe.config.deploy
– Contains application settings (i.e. connection strings, etc.)
• ProjectName.exe.deploy
– The (potentially malicious) executable that will be run by a user
• ProjectName.exe.manifest
– Manifest file containing application version, .NET versions
supported, permission level requested, and signatures for the
other files
– Contains the file name for the executable
6. Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
ClickOnce Certificate Signing
• ClickOnce and .NET support signing applications
• Authenticode – Microsoft cert-based signing technology used
to verify the authenticity of publisher
• Need to “acquire” an code-signing Authenticode certificate
from a Certificate Authority (CA)
• Signing stages available
– Signed (CA)
– Self-signed (MakeCert.exe in .NET)
– Unsigned (No cert used)
7. Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
ClickOnce Trust Architecture
• Applications and how they are executed are based on a trust
architecture separated into different execution source zones
• ClickOnce allows permitted applications to elevate privileges
automatically (Trusted Sites) or through prompting the user
• Prompting levels are controlled by the following registry key
– HKEY_LOCAL_MACHINESOFTWAREMICROSOFT.NETFra
meworkSecurityTrustManagerPromptingLevel
8. Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
ClickOnce Trust Architecture (cont.)
• These are features: "But the most important new feature
when it comes to security is … the end user can elevate
permissions without the help of an administrator“
• “If the application permissions don't exceed policy
permissions, the application downloads and runs without
asking the user any trust questions.”
• “If the application needs more permissions than what's
granted by policy, the user is asked if he wants to trust that
application and elevate permissions... If the user clicks Run,
the application is put into the Application Trust List and is
downloaded and started.”
MSDN:https://msdn.microsoft.com/en-us/library/aa719097(v=vs.71).aspx
9. Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
ClickOnce Trust Architecture (cont.)
• When ClickOnce was originally being developed in .NET 2.0
Beta 2, permissions looked promising with the Internet zone
being restricted to applications signed by a valid certificate.
Zone Applications
My Computer Enabled
Local Intranet Enabled
Trusted Sites Enabled
Internet Enabled for signed apps
Untrusted Sites Disabled
10. Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
ClickOnce Trust Architecture (cont.)
• Unfortunately, Microsoft decided to change this, specifically
the Internet zone, and not for the best
• Now, by default, ClickOnce packages that come from the
Internet allow a user to grant the application temporary
admin privileges in order to install
Zone Applications
My Computer Enabled
Local Intranet Enabled
Trusted Sites Enabled
Internet Enabled
Untrusted Sites Disabled
11. Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
Owning With a Click
• Why use ClickOnce application?
– ClickOnce is supported on all modern Windows operating
systems since it relies on .NET
– All distributions come with at least .NET 2.0 since Windows
Server 2k3
– .NET supports backwards compatibility
– Dead simple to write
– Public browser exploits are highly version specific and
more often than not, crash the victim’s browser
12. Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
Owning With a Click (cont.)
• Originally meant to be deployed using Windows Internet
Explorer
– ClickOnce is supported by IE 6.0+
– Now supported by Firefox and Chrome using third party
addons (.NET 3.5+)
• Minimizes user interaction
• Delivering malicious code through multiple options
– It’s a .NET project – write your own
– Include malicious executable as a resource
13. Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
Payloads
• Roll your own payload
– Our original vector
– Flagged by AV
• Standard Metasploit payload
– Also attempted
– Reverse_HTTPS returned broken shells
• Assumed due to AV or something inline during delivery of second
Meterpreter stage
14. Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
Payloads (cont.)
• Powershell
– Justin@sixdub did a great write-up on using Powershell
commands instead of an executable for a Meterpreter
callback with ClickOnce
– Pros:
• Powershell command runs in memory – never touches disk
– Cons:
• Difficulty in changing payloads
• ClickOnce is already on disk
http://www.sixdub.net/?p=555
15. Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
Payloads (cont.)
• Veil
– Pros:
• Payloads written in different languages
• Encrypted Payloads – less likely to get caught by AV
– Cons:
• Static “random” Meterpreter callback
• This is an issue with how Metasploit handles stagers
– Will be fixed (hopefully) soon
• We decided to go with Veil since we to avoid AV detection
during our Red Team engagement
16. Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
Payloads (cont.)
• Problem:
– Static Meterpreter callbacks from targets
• Solution?:
– Dynamically generating individualized Veil
payloads
17. Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
Creating a ClickOnce Application
• Visual Studio is used to create ClickOnce
applications
– The free edition of Visual Studio 2013 supports
ClickOnce publishing
• Start a new console application project within
Visual Studio
– No GUI popup during execution
18. Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
Creating a ClickOnce Application (cont.)
• Using C# in .NET, create a new process that
launches your included executable
(ClickOnceInc.exe)
static class Program
{
static void Main()
{
//Starting a new process executing the malicious exe
System.Diagnostics.Process p = new System.Diagnostics.Process();
p.StartInfo.UseShellExecute = false;
p.StartInfo.RedirectStandardOutput = false;
p.StartInfo.FileName = "ClickOnceInc.exe";
p.Start();
}
}
19. Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
Creating a ClickOnce Application (cont.)
• Ensure that your application uses the correct
version of .NET so the application runs
properly.
• Here, .NET 3.5 was chosen by navigating to
the Application tab on the left, and selecting
the Target Framework from the dropdown.
20. Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
Creating a ClickOnce Application (cont.)
21. Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
Creating a ClickOnce Application (cont.)
• Include your malicious binary into the project
by clicking and dragging it over your Solution
Explorer
22. Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
Creating a ClickOnce Application (cont.)
• In the Properties of the application under Publish:
– Ensure the Install Mode is set to “available online only”
• This prevents the application from showing up in the
Start Menu
– Clicking the Application Files… button
• Exclude the hash for the ClickOnceInc.exe
– Dynamic payload generation changes the hash
23. Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
Creating a ClickOnce Application (cont.)
24. Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
Creating a ClickOnce Application (cont.)
• Clicking the Publish button, follow the wizard
to publish the ClickOnce application to your
local drive
• There should be multiple files/directories
– Application Files directory
– Evil Survey.application
– Publish.htm
– Setup.exe
25. Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
Creating a ClickOnce Application (cont.)
26. Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
Server Setup
• Web server with ClickOnce-specific directories
– Kali with Veil, Metasploit, and Apache
• Apache mod_rewrite
– GET evil.com?u={ID} ->
evil.com/{ID}/evil.application
– Combined with dynamic Veil payloads, allowed
easy analytics and post-mortem data gathering.
27. Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
Callback Listener
• Our solution:
– Metasploit listener
• Phishing scenario – targets are workstations
• Most likely have outbound http access
• Limited window of engagement
• Egress filtering
– ssh / icmp / dns tunneling
28. Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
Pitfalls
• Outdated packages / dependencies
– Veil, Python, Wine.
• Signing restrictions
– No signing allowed with dynamic payloads
• No easy way to use mage.exe on linux
– Self-signed certs are only marginally better
29. Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
Cleanup
• ClickOnce install directory:
– %LOCALAPPDATA%Apps2.0{machine-
specific}{machine-specific}{obfuscated-app-
name}
• C:UsersBobAppDataLocalApps2.0F3RBL2XD.32Y
Z3R2E8LL.92S{app-folder}
30. Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
Cleanup
• Add/Remove Programs
• Delete relevant AppData folder
• Nuke everything:
– Note: This will clear the entire online application
cache.
– No need for elevated privileges, AppCaches are
user-specific.
rundll32 dfshim CleanOnlineAppCache
31. Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
Demo
• Client:
– Windows 7
• Server (evil.com):
– Kali running Apache to serve file
– Metasploit listener running to catch callback
32. Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
Preventative Measures
• Typical Anti-Phishing Techniques
– User education
• Users continue through “… a quarter of Google
Chrome’s malware and phishing warnings”
– Endpoint protection
• Signatures lag behind usage
• Heuristics require a practical balance
• Limited usefulness for other phishing-based vectors
– Least privileged configurations
33. Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
Preventative Measures
• ClickOnce-Specific Techniques
– Code Access Security
• ClickOnce applications can specify a “permissions level”
• Default: Full Trust – Requires prompt for elevation
34. Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
Preventative Measures
• Disabling Trust Prompt
– HKEY_LOCAL_MACHINESOFTWAREMICROSOFT.NETFra
meworkSecurityTrustManagerPromptingLevel
– Trust prompt is controlled by zone
• Untrusted Sites
• Internet
• My Computer
• Local Intranet
• Trusted Sites
35. Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
Preventative Measures
String Value subkey Value
Internet Enabled
UntrustedSites Disabled
MyComputer Enabled
LocalIntranet Enabled
TrustedSites Enabled
Option Registry setting value
Enable the trust prompt. Enabled
Restrict the trust prompt. AuthenticodeRequired
Disable the trust prompt. Disabled
36. Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
Preventative Measures
• Windows 8
– SmartScreen Filter
• Enabled by default
• Adds another layer after user clicks ‘run’ for anything
not signed by a recognized CA
• Default ‘OK’ action results in application not running
37. Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
Flowchart by Robin Shahan (@robindotnet)
38. Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
Questions?
39. Celebrating a decade
of guiding security
professionals.
@Secure360 or #Sec360 www.Secure360.org
More Information / References
• Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness
– Devdatta Akhawe University of California, Berkeley, devdatta@cs.berkeley.edu
– Adrienne Porter Felt Google, Inc, felt@google.com
• http://leastprivilege.com/2006/02/18/beware-be-aware-of-clickonce-default-settings/
• https://msdn.microsoft.com/en-us/library/aa719097(v=vs.71).aspx
• https://msdn.microsoft.com/en-us/library/cc176048(v=vs.90).aspx
• https://msdn.microsoft.com/en-us/library/ee308453.aspx
• https://robindotnet.wordpress.com/2013/02/24/windows-8-and-clickonce-the-definitive-
answer-2/
• https://blog.netspi.com/bypassing-av-with-veil-evasion/
• https://github.com/rapid7/metasploit-framework/issues/4895
• http://www.sixdub.net/?p=555
• https://blog.netspi.com/