SlideShare una empresa de Scribd logo

All You Need is One - A ClickOnce Love Story - Secure360 2015

NetSPI
NetSPI

ClickOnce is a deployment solution that enables fast, easy delivery of packaged software. It is commonly used by organizations to deploy both internal and production-grade software packages, along with their respective updates. By allowing end-users to accept the requested permissions of the software package without the intervention of an administrator, ClickOnce simplifies the deployment and use of robust software solutions. It also provides an excellent opportunity for malicious actors to establish a foothold in your network. In this presentation, we discuss how we combined ClickOnce technology and existing phishing techniques into a new methodology for establishing an initial presence in an environment. By minimizing user interaction, we only require that the user is fooled for “one click” – after that, we already have a foothold in their environment and are ready to pivot and escalate further.

Tecnología
1 de 39
Descargar para leer sin conexión
Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org All You Need Is One - A ClickOnce Love Story Ryan Gandrud Cody Wass
Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Introduction • Ryan Gandrud – Penetration tester – Computer enthusiast • Cody Wass – Web applications – Scotch aficionado
Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Overview • ClickOnce? • Phishing-phriendly pheatures • Creating a malicious ClickOnce application • Phishing setup • Issues and pitfalls • Demo • Prevention
Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org ClickOnce WTF? • ClickOnce – What is it? – ClickOnce is a wrapper that sits around a Windows executable to “install” it on a machine – Used by application administrators to deploy installations to users in the network – Supports multiple deployment methods (web, network share, local execution)
Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org ClickOnce Internals • ProjectName.application – Contains the location of the manifest and application version information • ProjectName.exe.config.deploy – Contains application settings (i.e. connection strings, etc.) • ProjectName.exe.deploy – The (potentially malicious) executable that will be run by a user • ProjectName.exe.manifest – Manifest file containing application version, .NET versions supported, permission level requested, and signatures for the other files – Contains the file name for the executable
Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org ClickOnce Certificate Signing • ClickOnce and .NET support signing applications • Authenticode – Microsoft cert-based signing technology used to verify the authenticity of publisher • Need to “acquire” an code-signing Authenticode certificate from a Certificate Authority (CA) • Signing stages available – Signed (CA) – Self-signed (MakeCert.exe in .NET) – Unsigned (No cert used)
Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org ClickOnce Trust Architecture • Applications and how they are executed are based on a trust architecture separated into different execution source zones • ClickOnce allows permitted applications to elevate privileges automatically (Trusted Sites) or through prompting the user • Prompting levels are controlled by the following registry key – HKEY_LOCAL_MACHINESOFTWAREMICROSOFT.NETFra meworkSecurityTrustManagerPromptingLevel
Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org ClickOnce Trust Architecture (cont.) • These are features: "But the most important new feature when it comes to security is … the end user can elevate permissions without the help of an administrator“ • “If the application permissions don't exceed policy permissions, the application downloads and runs without asking the user any trust questions.” • “If the application needs more permissions than what's granted by policy, the user is asked if he wants to trust that application and elevate permissions... If the user clicks Run, the application is put into the Application Trust List and is downloaded and started.” MSDN:https://msdn.microsoft.com/en-us/library/aa719097(v=vs.71).aspx
Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org ClickOnce Trust Architecture (cont.) • When ClickOnce was originally being developed in .NET 2.0 Beta 2, permissions looked promising with the Internet zone being restricted to applications signed by a valid certificate. Zone Applications My Computer Enabled Local Intranet Enabled Trusted Sites Enabled Internet Enabled for signed apps Untrusted Sites Disabled
Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org ClickOnce Trust Architecture (cont.) • Unfortunately, Microsoft decided to change this, specifically the Internet zone, and not for the best • Now, by default, ClickOnce packages that come from the Internet allow a user to grant the application temporary admin privileges in order to install Zone Applications My Computer Enabled Local Intranet Enabled Trusted Sites Enabled Internet Enabled Untrusted Sites Disabled
Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Owning With a Click • Why use ClickOnce application? – ClickOnce is supported on all modern Windows operating systems since it relies on .NET – All distributions come with at least .NET 2.0 since Windows Server 2k3 – .NET supports backwards compatibility – Dead simple to write – Public browser exploits are highly version specific and more often than not, crash the victim’s browser
Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Owning With a Click (cont.) • Originally meant to be deployed using Windows Internet Explorer – ClickOnce is supported by IE 6.0+ – Now supported by Firefox and Chrome using third party addons (.NET 3.5+) • Minimizes user interaction • Delivering malicious code through multiple options – It’s a .NET project – write your own – Include malicious executable as a resource
Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Payloads • Roll your own payload – Our original vector – Flagged by AV • Standard Metasploit payload – Also attempted – Reverse_HTTPS returned broken shells • Assumed due to AV or something inline during delivery of second Meterpreter stage
Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Payloads (cont.) • Powershell – Justin@sixdub did a great write-up on using Powershell commands instead of an executable for a Meterpreter callback with ClickOnce – Pros: • Powershell command runs in memory – never touches disk – Cons: • Difficulty in changing payloads • ClickOnce is already on disk http://www.sixdub.net/?p=555
Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Payloads (cont.) • Veil – Pros: • Payloads written in different languages • Encrypted Payloads – less likely to get caught by AV – Cons: • Static “random” Meterpreter callback • This is an issue with how Metasploit handles stagers – Will be fixed (hopefully) soon • We decided to go with Veil since we to avoid AV detection during our Red Team engagement
Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Payloads (cont.) • Problem: – Static Meterpreter callbacks from targets • Solution?: – Dynamically generating individualized Veil payloads
Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Creating a ClickOnce Application • Visual Studio is used to create ClickOnce applications – The free edition of Visual Studio 2013 supports ClickOnce publishing • Start a new console application project within Visual Studio – No GUI popup during execution
Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Creating a ClickOnce Application (cont.) • Using C# in .NET, create a new process that launches your included executable (ClickOnceInc.exe) static class Program { static void Main() { //Starting a new process executing the malicious exe System.Diagnostics.Process p = new System.Diagnostics.Process(); p.StartInfo.UseShellExecute = false; p.StartInfo.RedirectStandardOutput = false; p.StartInfo.FileName = "ClickOnceInc.exe"; p.Start(); } }
Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Creating a ClickOnce Application (cont.) • Ensure that your application uses the correct version of .NET so the application runs properly. • Here, .NET 3.5 was chosen by navigating to the Application tab on the left, and selecting the Target Framework from the dropdown.
Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Creating a ClickOnce Application (cont.)
Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Creating a ClickOnce Application (cont.) • Include your malicious binary into the project by clicking and dragging it over your Solution Explorer
Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Creating a ClickOnce Application (cont.) • In the Properties of the application under Publish: – Ensure the Install Mode is set to “available online only” • This prevents the application from showing up in the Start Menu – Clicking the Application Files… button • Exclude the hash for the ClickOnceInc.exe – Dynamic payload generation changes the hash
Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Creating a ClickOnce Application (cont.)
Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Creating a ClickOnce Application (cont.) • Clicking the Publish button, follow the wizard to publish the ClickOnce application to your local drive • There should be multiple files/directories – Application Files directory – Evil Survey.application – Publish.htm – Setup.exe
Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Creating a ClickOnce Application (cont.)
Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Server Setup • Web server with ClickOnce-specific directories – Kali with Veil, Metasploit, and Apache • Apache mod_rewrite – GET evil.com?u={ID} -> evil.com/{ID}/evil.application – Combined with dynamic Veil payloads, allowed easy analytics and post-mortem data gathering.
Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Callback Listener • Our solution: – Metasploit listener • Phishing scenario – targets are workstations • Most likely have outbound http access • Limited window of engagement • Egress filtering – ssh / icmp / dns tunneling
Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Pitfalls • Outdated packages / dependencies – Veil, Python, Wine. • Signing restrictions – No signing allowed with dynamic payloads • No easy way to use mage.exe on linux – Self-signed certs are only marginally better
Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Cleanup • ClickOnce install directory: – %LOCALAPPDATA%Apps2.0{machine- specific}{machine-specific}{obfuscated-app- name} • C:UsersBobAppDataLocalApps2.0F3RBL2XD.32Y Z3R2E8LL.92S{app-folder}
Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Cleanup • Add/Remove Programs • Delete relevant AppData folder • Nuke everything: – Note: This will clear the entire online application cache. – No need for elevated privileges, AppCaches are user-specific. rundll32 dfshim CleanOnlineAppCache
Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Demo • Client: – Windows 7 • Server (evil.com): – Kali running Apache to serve file – Metasploit listener running to catch callback
Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Preventative Measures • Typical Anti-Phishing Techniques – User education • Users continue through “… a quarter of Google Chrome’s malware and phishing warnings” – Endpoint protection • Signatures lag behind usage • Heuristics require a practical balance • Limited usefulness for other phishing-based vectors – Least privileged configurations
Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Preventative Measures • ClickOnce-Specific Techniques – Code Access Security • ClickOnce applications can specify a “permissions level” • Default: Full Trust – Requires prompt for elevation
Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Preventative Measures • Disabling Trust Prompt – HKEY_LOCAL_MACHINESOFTWAREMICROSOFT.NETFra meworkSecurityTrustManagerPromptingLevel – Trust prompt is controlled by zone • Untrusted Sites • Internet • My Computer • Local Intranet • Trusted Sites
Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Preventative Measures String Value subkey Value Internet Enabled UntrustedSites Disabled MyComputer Enabled LocalIntranet Enabled TrustedSites Enabled Option Registry setting value Enable the trust prompt. Enabled Restrict the trust prompt. AuthenticodeRequired Disable the trust prompt. Disabled
Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Preventative Measures • Windows 8 – SmartScreen Filter • Enabled by default • Adds another layer after user clicks ‘run’ for anything not signed by a recognized CA • Default ‘OK’ action results in application not running
Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Flowchart by Robin Shahan (@robindotnet)
Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Questions?
Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org More Information / References • Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness – Devdatta Akhawe University of California, Berkeley, devdatta@cs.berkeley.edu – Adrienne Porter Felt Google, Inc, felt@google.com • http://leastprivilege.com/2006/02/18/beware-be-aware-of-clickonce-default-settings/ • https://msdn.microsoft.com/en-us/library/aa719097(v=vs.71).aspx • https://msdn.microsoft.com/en-us/library/cc176048(v=vs.90).aspx • https://msdn.microsoft.com/en-us/library/ee308453.aspx • https://robindotnet.wordpress.com/2013/02/24/windows-8-and-clickonce-the-definitive- answer-2/ • https://blog.netspi.com/bypassing-av-with-veil-evasion/ • https://github.com/rapid7/metasploit-framework/issues/4895 • http://www.sixdub.net/?p=555 • https://blog.netspi.com/

Recomendados

PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
 
2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShell2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShellScott Sutherland
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0Will Schroeder
 
Automated UI Testing
Automated UI TestingAutomated UI Testing
Automated UI TestingMikalai Alimenkou
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new blackChris Gates
 
Why Users Are Moving on from Docker and Leaving Its Security Risks Behind (Sp...
Why Users Are Moving on from Docker and Leaving Its Security Risks Behind (Sp...Why Users Are Moving on from Docker and Leaving Its Security Risks Behind (Sp...
Why Users Are Moving on from Docker and Leaving Its Security Risks Behind (Sp...Amazon Web Services
 
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahWindows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahOWASP Delhi
 
Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022Liran Tal
 

Recomendados

PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
 
2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShell2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShellScott Sutherland
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0Will Schroeder
 
Automated UI Testing
Automated UI TestingAutomated UI Testing
Automated UI TestingMikalai Alimenkou
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new blackChris Gates
 
Why Users Are Moving on from Docker and Leaving Its Security Risks Behind (Sp...
Why Users Are Moving on from Docker and Leaving Its Security Risks Behind (Sp...Why Users Are Moving on from Docker and Leaving Its Security Risks Behind (Sp...
Why Users Are Moving on from Docker and Leaving Its Security Risks Behind (Sp...Amazon Web Services
 
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahWindows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahOWASP Delhi
 
Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022Liran Tal
 
Automation Testing using Selenium
Automation Testing using SeleniumAutomation Testing using Selenium
Automation Testing using SeleniumNaresh Chintalcheru
 
Selenium IDE
Selenium IDESelenium IDE
Selenium IDEb4usolution .
 
Selenium-Locators
Selenium-LocatorsSelenium-Locators
Selenium-LocatorsMithilesh Singh
 
SELENIUM PPT.pdf
SELENIUM PPT.pdfSELENIUM PPT.pdf
SELENIUM PPT.pdfRebelSnowball
 
Laravel presentation
Laravel presentationLaravel presentation
Laravel presentationToufiq Mahmud
 
Selenium IDE LOCATORS
Selenium IDE LOCATORSSelenium IDE LOCATORS
Selenium IDE LOCATORSMindfire Solutions
 
How to Reverse Engineer Web Applications
How to Reverse Engineer Web ApplicationsHow to Reverse Engineer Web Applications
How to Reverse Engineer Web ApplicationsJarrod Overson
 
Express JS
Express JSExpress JS
Express JSAlok Guha
 
Automation - web testing with selenium
Automation - web testing with seleniumAutomation - web testing with selenium
Automation - web testing with seleniumTzirla Rozental
 
Automated Web Testing Using Selenium
Automated Web Testing Using SeleniumAutomated Web Testing Using Selenium
Automated Web Testing Using SeleniumWeifeng Zhang
 
Test Automation and Selenium
Test Automation and SeleniumTest Automation and Selenium
Test Automation and SeleniumKarapet Sarkisyan
 
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generatorsDEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generatorsFelipe Prado
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineDevOps.com
 
Java Programming
Java ProgrammingJava Programming
Java ProgrammingElizabeth alexander
 
Spring boot
Spring bootSpring boot
Spring bootGyanendra Yadav
 
Dynamic Security Analysis & Static Security Analysis for Android Apps.
Dynamic Security Analysis & Static Security Analysis for Android Apps.Dynamic Security Analysis & Static Security Analysis for Android Apps.
Dynamic Security Analysis & Static Security Analysis for Android Apps.VodqaBLR
 
Introduction to Selenium Web Driver
Introduction to Selenium Web DriverIntroduction to Selenium Web Driver
Introduction to Selenium Web DriverReturn on Intelligence
 
Automation Testing using Selenium Webdriver
Automation Testing using Selenium WebdriverAutomation Testing using Selenium Webdriver
Automation Testing using Selenium WebdriverPankaj Biswas
 
Selenium WebDriver Tutorial For Beginners | What Is Selenium WebDriver | Sele...
Selenium WebDriver Tutorial For Beginners | What Is Selenium WebDriver | Sele...Selenium WebDriver Tutorial For Beginners | What Is Selenium WebDriver | Sele...
Selenium WebDriver Tutorial For Beginners | What Is Selenium WebDriver | Sele...Edureka!
 
Bypass_AV-EDR.pdf
Bypass_AV-EDR.pdfBypass_AV-EDR.pdf
Bypass_AV-EDR.pdfFarouk2nd
 
Extracting Credentials From Windows
Extracting Credentials From WindowsExtracting Credentials From Windows
Extracting Credentials From WindowsNetSPI
 
GPU Cracking - On the Cheap
GPU Cracking - On the CheapGPU Cracking - On the Cheap
GPU Cracking - On the CheapNetSPI
 

Más contenido relacionado

La actualidad más candente

Automation Testing using Selenium
Automation Testing using SeleniumAutomation Testing using Selenium
Automation Testing using SeleniumNaresh Chintalcheru
 
Laravel presentation
Laravel presentationLaravel presentation
Laravel presentationToufiq Mahmud
 
How to Reverse Engineer Web Applications
How to Reverse Engineer Web ApplicationsHow to Reverse Engineer Web Applications
How to Reverse Engineer Web ApplicationsJarrod Overson
 
Automation - web testing with selenium
Automation - web testing with seleniumAutomation - web testing with selenium
Automation - web testing with seleniumTzirla Rozental
 
Automated Web Testing Using Selenium
Automated Web Testing Using SeleniumAutomated Web Testing Using Selenium
Automated Web Testing Using SeleniumWeifeng Zhang
 
Test Automation and Selenium
Test Automation and SeleniumTest Automation and Selenium
Test Automation and SeleniumKarapet Sarkisyan
 
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generatorsDEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generatorsFelipe Prado
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineDevOps.com
 
Dynamic Security Analysis & Static Security Analysis for Android Apps.
Dynamic Security Analysis & Static Security Analysis for Android Apps.Dynamic Security Analysis & Static Security Analysis for Android Apps.
Dynamic Security Analysis & Static Security Analysis for Android Apps.VodqaBLR
 
Automation Testing using Selenium Webdriver
Automation Testing using Selenium WebdriverAutomation Testing using Selenium Webdriver
Automation Testing using Selenium WebdriverPankaj Biswas
 
Selenium WebDriver Tutorial For Beginners | What Is Selenium WebDriver | Sele...
Selenium WebDriver Tutorial For Beginners | What Is Selenium WebDriver | Sele...Selenium WebDriver Tutorial For Beginners | What Is Selenium WebDriver | Sele...
Selenium WebDriver Tutorial For Beginners | What Is Selenium WebDriver | Sele...Edureka!
 
Bypass_AV-EDR.pdf
Bypass_AV-EDR.pdfBypass_AV-EDR.pdf
Bypass_AV-EDR.pdfFarouk2nd
 

La actualidad más candente (20)

Automation Testing using Selenium
Automation Testing using SeleniumAutomation Testing using Selenium
Automation Testing using Selenium
 
Selenium IDE
Selenium IDESelenium IDE
Selenium IDE
 
Selenium-Locators
Selenium-LocatorsSelenium-Locators
Selenium-Locators
 
SELENIUM PPT.pdf
SELENIUM PPT.pdfSELENIUM PPT.pdf
SELENIUM PPT.pdf
 
Laravel presentation
Laravel presentationLaravel presentation
Laravel presentation
 
Selenium IDE LOCATORS
Selenium IDE LOCATORSSelenium IDE LOCATORS
Selenium IDE LOCATORS
 
How to Reverse Engineer Web Applications
How to Reverse Engineer Web ApplicationsHow to Reverse Engineer Web Applications
How to Reverse Engineer Web Applications
 
Express JS
Express JSExpress JS
Express JS
 
Automation - web testing with selenium
Automation - web testing with seleniumAutomation - web testing with selenium
Automation - web testing with selenium
 
Automated Web Testing Using Selenium
Automated Web Testing Using SeleniumAutomated Web Testing Using Selenium
Automated Web Testing Using Selenium
 
Test Automation and Selenium
Test Automation and SeleniumTest Automation and Selenium
Test Automation and Selenium
 
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generatorsDEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
 
Java Programming
Java ProgrammingJava Programming
Java Programming
 
Spring boot
Spring bootSpring boot
Spring boot
 
Dynamic Security Analysis & Static Security Analysis for Android Apps.
Dynamic Security Analysis & Static Security Analysis for Android Apps.Dynamic Security Analysis & Static Security Analysis for Android Apps.
Dynamic Security Analysis & Static Security Analysis for Android Apps.
 
Introduction to Selenium Web Driver
Introduction to Selenium Web DriverIntroduction to Selenium Web Driver
Introduction to Selenium Web Driver
 
Automation Testing using Selenium Webdriver
Automation Testing using Selenium WebdriverAutomation Testing using Selenium Webdriver
Automation Testing using Selenium Webdriver
 
Selenium WebDriver Tutorial For Beginners | What Is Selenium WebDriver | Sele...
Selenium WebDriver Tutorial For Beginners | What Is Selenium WebDriver | Sele...Selenium WebDriver Tutorial For Beginners | What Is Selenium WebDriver | Sele...
Selenium WebDriver Tutorial For Beginners | What Is Selenium WebDriver | Sele...
 
Bypass_AV-EDR.pdf
Bypass_AV-EDR.pdfBypass_AV-EDR.pdf
Bypass_AV-EDR.pdf
 

Destacado

Extracting Credentials From Windows
Extracting Credentials From WindowsExtracting Credentials From Windows
Extracting Credentials From WindowsNetSPI
 
GPU Cracking - On the Cheap
GPU Cracking - On the CheapGPU Cracking - On the Cheap
GPU Cracking - On the CheapNetSPI
 
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksIntroduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksNetSPI
 
Fuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox TestingFuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox TestingNetSPI
 
Beyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability AssessmentBeyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability AssessmentDamon Small
 
Attack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingAttack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingNetSPI
 
Attack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration TestingAttack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration TestingNetSPI
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseNetSPI
 
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2NetSPI
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration TestingNetSPI
 

Destacado (11)

Extracting Credentials From Windows
Extracting Credentials From WindowsExtracting Credentials From Windows
Extracting Credentials From Windows
 
GPU Cracking - On the Cheap
GPU Cracking - On the CheapGPU Cracking - On the Cheap
GPU Cracking - On the Cheap
 
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksIntroduction to Windows Dictionary Attacks
Introduction to Windows Dictionary Attacks
 
Fuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox TestingFuzzing and You: Automating Whitebox Testing
Fuzzing and You: Automating Whitebox Testing
 
Beyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability AssessmentBeyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability Assessment
 
Attack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingAttack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration Testing
 
Attack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration TestingAttack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration Testing
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash Course
 
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
 
Thick client application security assessment
Thick client application security assessmentThick client application security assessment
Thick client application security assessment
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration Testing
 

Similar a All You Need is One - A ClickOnce Love Story - Secure360 2015

VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"Aaron Rinehart
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemRogue Wave Software
 
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021Teemu Tiainen
 
SPI Dynamics web application security 101
SPI Dynamics web application security 101 SPI Dynamics web application security 101
SPI Dynamics web application security 101 Wade Malone
 
Ransomware: Mitigation Through Preparation
Ransomware: Mitigation Through PreparationRansomware: Mitigation Through Preparation
Ransomware: Mitigation Through PreparationHostway|HOSTING
 
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4Qualcomm Developer Network
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecLalit Kale
 
System hardening - OS and Application
System hardening - OS and ApplicationSystem hardening - OS and Application
System hardening - OS and Applicationedavid2685
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsStefan Streichsbier
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Cenzic
 
Hardware Security on Vehicles
Hardware Security on VehiclesHardware Security on Vehicles
Hardware Security on VehiclesPriyanka Aash
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021lior mazor
 
The End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzThe End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzSeniorStoryteller
 
Zero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source SoftwareZero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source SoftwareMyNOG
 
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxThe Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxlior mazor
 
Andrew Useckas Csa presentation hacking custom webapps 4 3
Andrew Useckas Csa presentation hacking custom webapps 4 3Andrew Useckas Csa presentation hacking custom webapps 4 3
Andrew Useckas Csa presentation hacking custom webapps 4 3Trish McGinity, CCSK
 
AusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS ApplicationsAusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS Applicationseightbit
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSebastien Deleersnyder
 

Similar a All You Need is One - A ClickOnce Love Story - Secure360 2015 (20)

VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
 
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
 
SPI Dynamics web application security 101
SPI Dynamics web application security 101 SPI Dynamics web application security 101
SPI Dynamics web application security 101
 
Securing Android
Securing AndroidSecuring Android
Securing Android
 
Ransomware: Mitigation Through Preparation
Ransomware: Mitigation Through PreparationRansomware: Mitigation Through Preparation
Ransomware: Mitigation Through Preparation
 
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
 
System hardening - OS and Application
System hardening - OS and ApplicationSystem hardening - OS and Application
System hardening - OS and Application
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...
 
Hardware Security on Vehicles
Hardware Security on VehiclesHardware Security on Vehicles
Hardware Security on Vehicles
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021
 
The End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzThe End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon Lietz
 
Zero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source SoftwareZero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source Software
 
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxThe Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
 
Andrew Useckas Csa presentation hacking custom webapps 4 3
Andrew Useckas Csa presentation hacking custom webapps 4 3Andrew Useckas Csa presentation hacking custom webapps 4 3
Andrew Useckas Csa presentation hacking custom webapps 4 3
 
AusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS ApplicationsAusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS Applications
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
 

Último

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 

Último (20)

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 

All You Need is One - A ClickOnce Love Story - Secure360 2015

  • 1. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org All You Need Is One - A ClickOnce Love Story Ryan Gandrud Cody Wass
  • 2. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Introduction • Ryan Gandrud – Penetration tester – Computer enthusiast • Cody Wass – Web applications – Scotch aficionado
  • 3. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Overview • ClickOnce? • Phishing-phriendly pheatures • Creating a malicious ClickOnce application • Phishing setup • Issues and pitfalls • Demo • Prevention
  • 4. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org ClickOnce WTF? • ClickOnce – What is it? – ClickOnce is a wrapper that sits around a Windows executable to “install” it on a machine – Used by application administrators to deploy installations to users in the network – Supports multiple deployment methods (web, network share, local execution)
  • 5. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org ClickOnce Internals • ProjectName.application – Contains the location of the manifest and application version information • ProjectName.exe.config.deploy – Contains application settings (i.e. connection strings, etc.) • ProjectName.exe.deploy – The (potentially malicious) executable that will be run by a user • ProjectName.exe.manifest – Manifest file containing application version, .NET versions supported, permission level requested, and signatures for the other files – Contains the file name for the executable
  • 6. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org ClickOnce Certificate Signing • ClickOnce and .NET support signing applications • Authenticode – Microsoft cert-based signing technology used to verify the authenticity of publisher • Need to “acquire” an code-signing Authenticode certificate from a Certificate Authority (CA) • Signing stages available – Signed (CA) – Self-signed (MakeCert.exe in .NET) – Unsigned (No cert used)
  • 7. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org ClickOnce Trust Architecture • Applications and how they are executed are based on a trust architecture separated into different execution source zones • ClickOnce allows permitted applications to elevate privileges automatically (Trusted Sites) or through prompting the user • Prompting levels are controlled by the following registry key – HKEY_LOCAL_MACHINESOFTWAREMICROSOFT.NETFra meworkSecurityTrustManagerPromptingLevel
  • 8. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org ClickOnce Trust Architecture (cont.) • These are features: "But the most important new feature when it comes to security is … the end user can elevate permissions without the help of an administrator“ • “If the application permissions don't exceed policy permissions, the application downloads and runs without asking the user any trust questions.” • “If the application needs more permissions than what's granted by policy, the user is asked if he wants to trust that application and elevate permissions... If the user clicks Run, the application is put into the Application Trust List and is downloaded and started.” MSDN:https://msdn.microsoft.com/en-us/library/aa719097(v=vs.71).aspx
  • 9. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org ClickOnce Trust Architecture (cont.) • When ClickOnce was originally being developed in .NET 2.0 Beta 2, permissions looked promising with the Internet zone being restricted to applications signed by a valid certificate. Zone Applications My Computer Enabled Local Intranet Enabled Trusted Sites Enabled Internet Enabled for signed apps Untrusted Sites Disabled
  • 10. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org ClickOnce Trust Architecture (cont.) • Unfortunately, Microsoft decided to change this, specifically the Internet zone, and not for the best • Now, by default, ClickOnce packages that come from the Internet allow a user to grant the application temporary admin privileges in order to install Zone Applications My Computer Enabled Local Intranet Enabled Trusted Sites Enabled Internet Enabled Untrusted Sites Disabled
  • 11. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Owning With a Click • Why use ClickOnce application? – ClickOnce is supported on all modern Windows operating systems since it relies on .NET – All distributions come with at least .NET 2.0 since Windows Server 2k3 – .NET supports backwards compatibility – Dead simple to write – Public browser exploits are highly version specific and more often than not, crash the victim’s browser
  • 12. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Owning With a Click (cont.) • Originally meant to be deployed using Windows Internet Explorer – ClickOnce is supported by IE 6.0+ – Now supported by Firefox and Chrome using third party addons (.NET 3.5+) • Minimizes user interaction • Delivering malicious code through multiple options – It’s a .NET project – write your own – Include malicious executable as a resource
  • 13. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Payloads • Roll your own payload – Our original vector – Flagged by AV • Standard Metasploit payload – Also attempted – Reverse_HTTPS returned broken shells • Assumed due to AV or something inline during delivery of second Meterpreter stage
  • 14. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Payloads (cont.) • Powershell – Justin@sixdub did a great write-up on using Powershell commands instead of an executable for a Meterpreter callback with ClickOnce – Pros: • Powershell command runs in memory – never touches disk – Cons: • Difficulty in changing payloads • ClickOnce is already on disk http://www.sixdub.net/?p=555
  • 15. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Payloads (cont.) • Veil – Pros: • Payloads written in different languages • Encrypted Payloads – less likely to get caught by AV – Cons: • Static “random” Meterpreter callback • This is an issue with how Metasploit handles stagers – Will be fixed (hopefully) soon • We decided to go with Veil since we to avoid AV detection during our Red Team engagement
  • 16. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Payloads (cont.) • Problem: – Static Meterpreter callbacks from targets • Solution?: – Dynamically generating individualized Veil payloads
  • 17. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Creating a ClickOnce Application • Visual Studio is used to create ClickOnce applications – The free edition of Visual Studio 2013 supports ClickOnce publishing • Start a new console application project within Visual Studio – No GUI popup during execution
  • 18. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Creating a ClickOnce Application (cont.) • Using C# in .NET, create a new process that launches your included executable (ClickOnceInc.exe) static class Program { static void Main() { //Starting a new process executing the malicious exe System.Diagnostics.Process p = new System.Diagnostics.Process(); p.StartInfo.UseShellExecute = false; p.StartInfo.RedirectStandardOutput = false; p.StartInfo.FileName = "ClickOnceInc.exe"; p.Start(); } }
  • 19. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Creating a ClickOnce Application (cont.) • Ensure that your application uses the correct version of .NET so the application runs properly. • Here, .NET 3.5 was chosen by navigating to the Application tab on the left, and selecting the Target Framework from the dropdown.
  • 20. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Creating a ClickOnce Application (cont.)
  • 21. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Creating a ClickOnce Application (cont.) • Include your malicious binary into the project by clicking and dragging it over your Solution Explorer
  • 22. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Creating a ClickOnce Application (cont.) • In the Properties of the application under Publish: – Ensure the Install Mode is set to “available online only” • This prevents the application from showing up in the Start Menu – Clicking the Application Files… button • Exclude the hash for the ClickOnceInc.exe – Dynamic payload generation changes the hash
  • 23. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Creating a ClickOnce Application (cont.)
  • 24. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Creating a ClickOnce Application (cont.) • Clicking the Publish button, follow the wizard to publish the ClickOnce application to your local drive • There should be multiple files/directories – Application Files directory – Evil Survey.application – Publish.htm – Setup.exe
  • 25. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Creating a ClickOnce Application (cont.)
  • 26. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Server Setup • Web server with ClickOnce-specific directories – Kali with Veil, Metasploit, and Apache • Apache mod_rewrite – GET evil.com?u={ID} -> evil.com/{ID}/evil.application – Combined with dynamic Veil payloads, allowed easy analytics and post-mortem data gathering.
  • 27. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Callback Listener • Our solution: – Metasploit listener • Phishing scenario – targets are workstations • Most likely have outbound http access • Limited window of engagement • Egress filtering – ssh / icmp / dns tunneling
  • 28. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Pitfalls • Outdated packages / dependencies – Veil, Python, Wine. • Signing restrictions – No signing allowed with dynamic payloads • No easy way to use mage.exe on linux – Self-signed certs are only marginally better
  • 29. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Cleanup • ClickOnce install directory: – %LOCALAPPDATA%Apps2.0{machine- specific}{machine-specific}{obfuscated-app- name} • C:UsersBobAppDataLocalApps2.0F3RBL2XD.32Y Z3R2E8LL.92S{app-folder}
  • 30. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Cleanup • Add/Remove Programs • Delete relevant AppData folder • Nuke everything: – Note: This will clear the entire online application cache. – No need for elevated privileges, AppCaches are user-specific. rundll32 dfshim CleanOnlineAppCache
  • 31. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Demo • Client: – Windows 7 • Server (evil.com): – Kali running Apache to serve file – Metasploit listener running to catch callback
  • 32. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Preventative Measures • Typical Anti-Phishing Techniques – User education • Users continue through “… a quarter of Google Chrome’s malware and phishing warnings” – Endpoint protection • Signatures lag behind usage • Heuristics require a practical balance • Limited usefulness for other phishing-based vectors – Least privileged configurations
  • 33. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Preventative Measures • ClickOnce-Specific Techniques – Code Access Security • ClickOnce applications can specify a “permissions level” • Default: Full Trust – Requires prompt for elevation
  • 34. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Preventative Measures • Disabling Trust Prompt – HKEY_LOCAL_MACHINESOFTWAREMICROSOFT.NETFra meworkSecurityTrustManagerPromptingLevel – Trust prompt is controlled by zone • Untrusted Sites • Internet • My Computer • Local Intranet • Trusted Sites
  • 35. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Preventative Measures String Value subkey Value Internet Enabled UntrustedSites Disabled MyComputer Enabled LocalIntranet Enabled TrustedSites Enabled Option Registry setting value Enable the trust prompt. Enabled Restrict the trust prompt. AuthenticodeRequired Disable the trust prompt. Disabled
  • 36. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Preventative Measures • Windows 8 – SmartScreen Filter • Enabled by default • Adds another layer after user clicks ‘run’ for anything not signed by a recognized CA • Default ‘OK’ action results in application not running
  • 37. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Flowchart by Robin Shahan (@robindotnet)
  • 38. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org Questions?
  • 39. Celebrating a decade of guiding security professionals. @Secure360 or #Sec360 www.Secure360.org More Information / References • Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness – Devdatta Akhawe University of California, Berkeley, devdatta@cs.berkeley.edu – Adrienne Porter Felt Google, Inc, felt@google.com • http://leastprivilege.com/2006/02/18/beware-be-aware-of-clickonce-default-settings/ • https://msdn.microsoft.com/en-us/library/aa719097(v=vs.71).aspx • https://msdn.microsoft.com/en-us/library/cc176048(v=vs.90).aspx • https://msdn.microsoft.com/en-us/library/ee308453.aspx • https://robindotnet.wordpress.com/2013/02/24/windows-8-and-clickonce-the-definitive- answer-2/ • https://blog.netspi.com/bypassing-av-with-veil-evasion/ • https://github.com/rapid7/metasploit-framework/issues/4895 • http://www.sixdub.net/?p=555 • https://blog.netspi.com/