Bypass firewalls & application white lists & secure remote desktops under 20 seconds

Presented at DEF CON 22 (2014), Aug. 8, 2014, 1 p.m. (60 minutes)

In theory, post-exploitation after having remote access is easy. Also in theory, there is no difference between theory and practice. In practice, there is. Imagine a scenario, where you have deployed a malware on a user’s workstation, but the target information is on a secure server accessed via two-factor authentication, with screen access only (e.g. RDP, Citrix, etc.). On top of that, the server runs application white-listing, and only the inbound port to the screen server (e.g. 3389) is allowed through the hardware firewall. But you also need persistent interactive C&C communication (e.g. Netcat, Meterpreter, RAT) to this server through the user’s workstation. I developed (and will publish) two tools that help you in these situations. The first tool can drop malware to the server through the screen while the user is logged in. The second tool can help you to circumvent the hardware firewall after we can execute code on the server with admin privileges (using a signed kernel driver). My tools are generic meaning that they work against Windows server 2012 and Windows 8, and they work with RDP or other remote desktops. The number of problems you can solve with them are endless, e.g., communicating with bind-shell on webserver behind restricted DMZ. Beware, live demo and fun included!

Presenters:

• Zoltán Balázs - Chief Technology Officer at MRG Effitas
  Zoltan (@zh4ck) is the Chief Technology Officer at MRG Effitas, a company focusing on AV testing. Before MRG Effitas, he worked for 5 years in the financial industry as an IT Security expert, and for 2 years as a senior IT security consultant at one of the Big Four companies. His main expertise areas are penetration testing, malware analysis, computer forensics and security monitoring. He released the Zombie browser tool, consisting of POC malicious browser extensions for Firefox, Chrome and Safari. He has been invited to present at information security conferences worldwide including Hacker Halted USA, OHM, Hacktivity, Ethical Hacking, Defcamp. He is a proud member of the gula.sh team, 2nd runner up at global Cyberlympics 2012 hacking competition.

Links:

• https://defcon.org/html/defcon-22/dc-22-speakers.html#Balazs
• https://infocon.org/cons/DEF CON/DEF CON 22/DEF CON 22 slides/DEF CON 22 - Hacking Conference Presentation Zoltan Balazs - Bypass firewalls & application white lists & secure remote desktops under 20 seconds - Slides.mp4
• https://infocon.org/cons/DEF CON/DEF CON 22/DEF CON 22 slides/DEF CON 22 - Hacking Conference Presentation Zoltan Balazs - Bypass firewalls & application white lists & secure remote desktops under 20 seconds - Video.mp4
• https://infocon.org/cons/DEF CON/DEF CON 22/DEF CON 22 slides/DEF CON 22 - Hacking Conference Presentation Zoltan Balazs - Bypass firewalls & application white lists & secure remote desktops under 20 seconds - Slides.srt (subtitles)
• https://infocon.org/cons/DEF CON/DEF CON 22/DEF CON 22 video and slides/DEF CON 22 - Zoltan Balazs - Bypass firewalls & application white lists & secure remote desktops under 20 seconds - Video and Slides.mp4 (Video and Slides)
• https://www.youtube.com/watch?v=ssE_mwSEH9U

Similar Presentations:

• DEF CON 30 (2022) / Wakanda Land Demo
• DEF CON 10 (2002) / Hacking .NET Server
• Black Hat Asia 2019 / When Voice Phishing Met Malicious Android App