hello hello everybody how many of you speak Spanish okay perfect well we got here a trophy because they took today this morning we had our tournament of soccer and our team won the trophy the spanish teen the forgetting I'm sorry for the engine Tina South Africa the rest of the Dean we want the trophy next year maybe well thank you for coming to this session when first of all first of all letting let me introduce to us my friend is wanna read oh and I'm Shyamalan so we are we are working in a small company in Spain calling for mario 64 and before that before starting with the topic we would like to to introduce our country we are from Spain probably it's in a small country small country this small country in the middle of everything we are in the middle of europe and africa and south america because or our history and if you never want to spend you have to go there I'm from Madrid which is a very nice City it was the capital of the bacon pie five centuries ago but it's a very nice city and if you go to Madrid you will never be a foreigner because each world to Madrid you are from Madrid so come to our city and juanita is from another city it was the capital of the Arabic Empire in the 7th century when Spain was an Arabic country lot lot of centuries ago and in and from that tower is the the gold stour the first the first the first one on the left is where the goal from America came to Europe that's the world that where is on Sevilla and Sevilla is very famous because of the parties because of the flamenco and so on and especially there are big monuments this is one of the most famous monuments in in Sevilla is the plaza espana probably all of you know this monument and you have to visit it because it's a monument in which you will fall in love because if Anakin Skywalker could fall it fell in love in Sevilla you can do it also so don't forget to visit our country well and juanito is from a very small area of Sevilla which is Triana Triana is a Republican independent republic in Sevilla and it's very famous for the Holy Week because they are very religious and there are thousands of people carrying the images and of course after that having drinks well you know we work in informatica 64 and probably a sign of the son of you have have been listening about phouka which is one of the tool that we develop and it's a free tool that you can use for strike information pen testing and so on tomorrow we are going to deliver after our shop of 88 hours with the new version which is the version 3 so if any of you want to attend I'm not sure if you can book for a receipt but you can ask for it what is the topic that we are going to talk today well we are going to talk about something which Caesar is very very very common which is the remote application using using Citrix and terminal services there are a lot of a lot of work done previously about this topic about citrix application and windows terminal services but we still believe that it is important because nobody is taking care about it and one nobody a lot of people has and secure environment and we are going to see how easy a hacker can get into a company just using this kind of environments so first of all it's very easy to discover the entry point of a company just searching for remote application or remote connection on Google they are searching for rdp files you can discover almost two thousand places almost 2,000 servers publishing applications of course you can discover also government sites government with tournament remote application that you can just click on it and test it we'll see what happened well you can do the same more or less the same in in being in being you cannot use the extension of modifier but you can use the file type this is a txt file and searching for any of the modifiers which appears in all the files you can discover thousands of remote application so some of the places that we discover with this one with the suit with this remote applications are from the government is what this is one of the the sizes the patrol order management system is a dot mil domain here in the States but we were we were going to do a demo with this server but we were talking to Jeff and they found something someone and today is fix it I don't know why but but we are going to do the demo with the California Transportation Department of Transportation which is another side well just reading the website you can discover the remote remote application there is an acre file and you can download the file and just begun on it let's see what happens I promise five minutes ago it was working it's blue top with rotc auto 5 minutes ago it was working maybe mush was fine and well no problem we are going to do a latte the next demo don't worry well I'll secure this environment well as we are going to see there are a lot of things to to worry about and it's very complicated to secure all the environments in one this picture with the demo is it doesn't make sense but after Sorry Sorry are you sure now I don't know it five minutes ago okay let's let's don't let it again but I we don't learn it five minutes ago so California Transportation routing database here it is Cole trans no no they fix it five minutes ago it was working we'll hit me well don't worry well one of the one of the biggest problems with these files this configuration files is the verbosity just reading the files which are txt file you can discover a lot of crap information like internal IP address users encrypted password you cannot use that password you can struck the password from the encrypted password but you can get access to the system using an anonymous account or a user account in the system right so these files are perfect for a PT's just for the people who is collecting information or for prepare a sunday special attacks like the evil great attack just searching on the internet for this kind of files they are searching for an ik file you can search for Lulu what's it X icon and just searching for documents with or NT you can discover files with the password for Oracle just in the text so Judah next you don't need to know to do any special there are a lot of information in that file so due to this we decide to add this kind of files to focus our tool for information gathering and for fingerprinting information about website and companies and right now you do don't load not tomorrow you do a lot tomorrow the focus rebellion you will see that in the new version for guys searching for this kind of file and extract information and so on the second big problem is that it's a txt file so whoever whoever has the file can modify the information and can try to to get access to another another part of the operating system so just modify the the configuration file and generating Aaron messages on the servers you can discover something like all the application in the operating system we do only need to create a logic with the error messages and terminal services and citric services incident citric servant has different error messages when you cannot get access to the file done when you cannot do the file is not on the server so just trying to ask for applications you can extract the whole list of application install in a computer to do this in Terminal Services is quite simple because there is a modifier which is ultimate a shell this a this option was created for versions of the RDP protocol previous to personal six but it is this it is it x6 still in the in the LDP files or Terminal Service 2008 it doesn't work but the option it is there so you can ask for an application and the terminal server will say okay you cannot use these ops you cannot access this problem because the alternator cell is forbidden but you will receive different error messages so if you receive excessively Nevada which is in Spanish because Spanish is better do you know that the file the file is in the operating system but if you receive you cannot get you cannot access to this file you know that this file is not in the service so the good thing is that you can do the same in citrix and there is there isn't any protection against one connection and another connection another connection and you don't have even to type a CAPTCHA so you can optimize optimize the this procedure with a tool we created kaka which is a computer-assisted idris apps and it's just it's just a tool to do it this so joining it to open kaka select 11 I go file a list of application in the example notepad brigid it command no exceeds and calc and kaka and the number of threats that you won't want to use and parallel and kaka will do this for you so you can go to half a copy that kaka is working kakaka is working well kaka is trying to crack is trying to open the the application and the only thing that kaka is doing is having a snapshot so then when kaka finished you only have to review the her messages so it of this way you know if their application exit or not you can you can use a very big list of application and lift kaka running on our computer for one day and the end of the day you got your list of application in in caucus well quite simple the other the other thing with terminal terminal application is the what we call playing the piano in the terminal services environments and cities environment there are too many links to too many environment variables too many circuits too many options that allows to a hacker to get an especial part of the system that the system administrator didn't thought didn't think of at the beginning one of our favorite is windows server 2008 because windows server 2008 wants to help you everything so if you ask for an application which is not in the operating system windows 2008 shows you an error message with a Help button which will I help why not so just click and I'll help the the Help button the Health application appears and in these applications you got a lot of links to open internet explorer or to open the open file panel and run commands and so on playing the piano was a very very nice thing to do with a lot of shortcuts to access different part of day of the operating system but dry now we got more and more shortcuts sticky case which is a funny thing just clicking on on on shift k three or four times the operating system will show you the sticky case menu which is within the control panel so even if you don't have access to the control panel with the sticky keys you will be able to configure all the control panel of the operating system you're clicking on save and so on it's easy to to do this well let's do a demo with the demo with citrix so well this is the website of physics but this is the website for demo servers so it's a demo is legal we got a user here which is tanto del coulis and a Spanish name the rest of the username name was taken at no no no no no no no now it is working well this is the environment as you can see in this environment we got a lot of application we are going to use Excel because this talk is about Axl so let's go to the office application and run Axl 10 to 10 22 to 30 excel is working well excel is working well right now the system is downloading the client component so so open Excel lunch you have to open lunch no maybe no no execute ok lunch or something with internet explorer but we are going to launch the XL excel is working believe me starting Microsoft Excel internet is low ah now man at the connector Albania no no no what a sex then oh my god okay it is working at least in the end well now connect today to the remote exhale come on please if someone is doing a man-in-the-middle attack in this network please don't do it moxie how many guys oh wow what happened with the internet here small slowly in English it's more slowly fighting internet on it hey hey just open X and we didn't hear anything yeah okay yeah open well this is the Citrix environment it's supposed to be secured by the guise of citric so let's try to I don't know use the environment variable to connect to the system road it's forbidden to the user profile it's forbidden and so on but you can do a lot of tricks one of the tricks that we do with just to create a shortcut to the command finish also all files and then run open oh they fix it no power cell too many consoles too many consoles power so let's change now we are going to use another console same trick another console open ed is working well go today and you get access to us it's very complicated because every day the operating system is getting more and more complex and the application that we are publishing through an hour more and more complex please stop stop stop stop stop how's this don't trust in people from Sevilla believe me well the question is that the operating system is more and more complex and the obligation are getting more and more complex so every application that you are publishing through terminal services is a path to your operating system or terminal through terminal services one of our favorites is the complex application and of course excel is one of the most complex application that companies are publishing through remote application services so the good thing is that Excel is a very powerful tool and bosses love Excel because you can do a lot of funny graphics and analyze a lot of data connect Excel to databases perform data mining and a lot of things which are very good for the business and the good is that to do all that funny things you need visual basic for applications if you remove visual basic for application from your Excel your Excel become another kind of application but excellent no more so the idea is that with Excel you can do a lot of things let's do the first demo dust and in this in local we got a Windows 2008 with hyper-v no I with terminal services sorry and we in this environment we publish Excel 2007 it Excel 2007 the we then use Excel 2010 because the security policy for micros arm are more or less the same the main difference in security in office 2010 and FS 2007 is about the sandbox about the security option when you download a file from an unsecured location from the internet and so on but once you you have the file in your machine and your computing the security policies for micros are the same so in this environment we are going to execute just an Excel with macros in a normal environment in a normal environment when accel x is going to be execute in your local machine the security option by default is that the usual select if wants to execute the macro or not because the user is running the macro on his machine but in a terminal service environment or multiplication environment the security option by the fall which is case by case the usually decide is a bad option because the user is running the visual basic for applications nodding their machine but in the shower machine which is completely different in this environment we are going to execute just a file with visual basic for applications James it is working well index example we created a panel and this is the by default option the you should decide ok enable this content on or not ok enabled it's not my machine so so now you can if the bus came you can show the graphic this quiz it's a good trick then open the deponent so just you can do a lot of things with visual vision for application for instant see the process and so on as you can see close do through the you through the windows management instrumentation instrumentation you can through commands retrieve the results and show it so then on the excel file ok let's close it so if we go back to the presentation well after seeing this demo it's clear that you have to take care about the security in effect cell in remote environment one of the first things that system administrator administrators should tend to do is to block some special consoles like comic-con like a PowerShell w I and so on but there are too many console and in windows server 2008 the backup directories copy all those consoles which dad then that him it creates a double problem because you have the double of consoles but in this environment we got in this environment we are going to have all the consoles forbidden we got and using ackles and using salt water station policies we are going to forbid all the consoles and you are going to see but we can use consoles even from other operating system this is a trick that was published by the dr stephens and idea is that you can inject a dll into your excel file and that dll is a common interpreter so just invoking the common interpreter in front your dll you are going to have access to the server so let's do a demo with this so if we go to the windows server 2008 and try to tutor a servant and try to execute a comment on it is forbidden it's forbidden but in the excel file that we are going to open we got a dll of reactors and also a dll for the registry race 38 editor of reactors so just open the file and open the common line now the excel file is extracting the dll to execute it and we are going to obtain the reactors command interpreter actually working i hope well here it is as you can see we got the reactors command interpreter and is like the comment like the command interpreter of windows 2008 and an eight more or less the same so this is a good trick so go back to this life and of course in the tax manager you cannot see the CMD because it's a dll which had been load by the excel file so it's not in the in the tax manager the user is only working with Excel which is good for the company so go back to the slice slice so of course after seeing this demo send you a good thing okay we are going to disable all the markers for for my machine if you use the first policy which is disabled visual basic for application is for all office application not only for Excel is forward PowerPoint access and so on and for Excel you got fourth option the third one is execute all macros which is unsecure the second option is case by case the usage decide of course if the user is the attacker is an unsecured option the third one is no mattress at all so index demo we are going to select the no macros at all in a excel file publish through a remote environment so we go to the Windows 2008 and select we are going to to log off the idle connection of the user okay and now we go to the policies and we are going to enable the policy and select no no my crotch no one means for all macros the third one no one is for a Mac road but disable all macros okay no warning and my clothes off so select that option okay apply the policy okay 15 active directory is working go back to the client and open the file and this is one of my favorite tricks so when you open the document when the top and the Oakland is is hoping you will see how it's impossible to execute anything because everything is forbidden try to do anything now it's forbidden you cannot do anything but there is something special with Excel there are trusted locations a trusted location is a path in which security policies are not applied so you only need to save the document in a trusted locations and of course the trusted location are in the user profile so let's save the document we are going to use a hostile location in the Duke at you you can have trusted location in the client machine or in the several machines it doesn't matter if the document is opened from a trusted location the all the security policies will disappear so we are going to save in one of the most famous trusted location which is the default book when you open a new file with there is not a template so we are going to copy here save close this document and then close and then open the document from the ultra state location here it is well no markers at all is not my curse at all well after seeing this demo there is a solution not just the location at all well after seeing this demo maybe the system administrator can trust in digitally signed macros only markers that had been digitally signed for a trusted a certification Authority so let's do tomorrow with this in the example we are we are going to select the four options remember option or micro second option kedua case third option no macros and fourth option is only digitally signed macros so let's logo data session and then gugu gugu digitally signed macros okay okay go on you don't apply okay after the retreat work we can play minesweeper meanwhile well we got a digitally signed excel file but it's a self-signed excel file and we are going to attain this message ding well we obtain a warning because his self d Daniel cyan't is not fun from trusted Authority and the one before baby you got help protecting in front and no content but there is a link a link for show signature details so just click on the link here is the digital the digital certificate so if we go to view certificate and the certification path we can discover the root of the certification Authority and we can view the certificate of it so with a certificate ah we can install the certificate because it's a doucher level perfect install the certificate next is a juicer level so no problem at all and now the message will change to enable this content and the last one is the the funny one is closed all documents for this is this is very important because with this option you can start the third war world war because if the index example we created a Dacia that we install right now and if you installed this year every document signed by this year will be okay and in the in the detail certificate there is a link for the crl and the crl is a link that could be an HTTP link and ldap link and an HTTP link could be a sequel injection attack so if you install hacia and send an excel file with a digital sign that a macro for to someone relevant in the company and he opened or he or she opened the document ultimately the grid Toby will try to connect to the crl so if you discover for instance a sequel injection vulnerability in Illinois in the colored China for instance and you can install one of these rope is here in one of the DHS machines and you send a file to I user which is working in that machine you can discover who you sir are working in what machine using phouka you can start the third ball one well just kidding but we are going to do the Des Moines log so in the example that trust Authority has Ray has now the decir el so we are going to say to open a net cut and we are going to send the document to a user in this environment is the same user but the point is that in remote application environments there are a pool of users that are chair for the rest of the user so we are listening and let's see if the query okay here okay as you can see there is a message notis PHP ID Phi equal five sat down a minute minnows hello Aurora I don't know whatever so in the end as you can see is very complex it's very difficult to harden and an environment with remote application so if you get a terminal services environment publishing a lot of publication or a citizen vironment the first thing that you have to do is reevaluate the security of the whole environment reevaluate the security of all documents of course you have to trust it in nobody nothing nobody even in nobody because in some internal in sudden operating system nobody could be dangerous be sure about the doc the application that you are publishing one of the funny things that we discover is that in terminal services with the TSA terminal services web access lot of administrators are using this option which is high in terminal server web access that means that if you have a remote application publish on your terminal services this application wants appear in the HTTP panel but the application is still published so if you know the name of the application you can connect to that application and that's all thanks for standing here
0 Comments