7 Best Black Hat 2015 White Papers

Do you want to get up-to-speed on latest hacker techniques?

Snagged this list from reddit:

https://www.reddit.com/r/netsec/comments/3fz6z6/blackhat_usa_2015_presentation_slideswhite_papers/cttslpu

 

Abusing Windows Management Instrumentation (WMI) to Build a Persistent Asynchronous and Fileless Backdoor

Crash & Pay: How to Own and Clone Contactless Payment Devices

Forging the USB Armory an Open Source Secure Flash-Drive-Sized Computer

SMBv2: Sharing More than Just Your Files

Stagefright: Scary Code in the Heart of Android

Writing Bad @$$ Malware for OS X

WSUSpect – Compromising the Windows Enterprise via Windows Update

 

Here is info on the Android hack:

https://www.blackhat.com/docs/us-15/materials/us-15-Bobrov-Certifi-Gate-Front-Door-Access-To-Pwning-Millions-Of-Androids.pdf

We did discuss WMI BlackHat presentation here: http://oversitesentry.com/blackhat-presentation-wmi-architecture-used-to-attack/

The WSUSpect and SMBv2 are 2 papers which deserve close review.

Windows Server Update Service(WSUS)

wsusprotocol

Image from white paper.

Apparently WSUS  can be intercepted if not set up with SSL.

Go to page 17 of the paper:

Any Windows computer that fetches updates from a WSUS server using a non-HTTPS URL is vulnerable to the injection attack described in the white paper. Check the registry keys :

If HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate  has a URL without a https:// address then it is susceptible to the injection attack.
Fix your WSUS configurations – setup SSL.

 

Also the SMBv2: “sharing more than your files” is also a dangerous security problem. Frank James calls it the “French Kiss Attack”

 

Apparently there is a failure in the Single Sign On design as the french Kiss attack allows the attacker to capture a Windows SSO username and NTLMv2 hashes of passwords. And then the password can be cracked with certain configurations with 8 digit passwords within 2 days.

 The exploitation works when a computer tries to connect a remote share on the Internet, they can then sniff the traffic and steal the password hashes.
The problem is also for any Windows public terminal servers (Or cloud servers).  So do you have a cloud system? Do you connect to a remote desktop system with terminal services? Then you are susceptible with this attack.
Microsoft says to block SMB traffic at the perimeter level (port 137,138,139,and 445)
That is a short summary for now – I may edit this post later.
Advertisements