Do you want to get up-to-speed on latest hacker techniques?
Snagged this list from reddit:
Abusing Windows Management Instrumentation (WMI) to Build a Persistent Asynchronous and Fileless Backdoor
Crash & Pay: How to Own and Clone Contactless Payment Devices
Forging the USB Armory an Open Source Secure Flash-Drive-Sized Computer
SMBv2: Sharing More than Just Your Files
Stagefright: Scary Code in the Heart of Android
Writing Bad @$$ Malware for OS X
WSUSpect – Compromising the Windows Enterprise via Windows Update
Here is info on the Android hack:
We did discuss WMI BlackHat presentation here: http://oversitesentry.com/blackhat-presentation-wmi-architecture-used-to-attack/
The WSUSpect and SMBv2 are 2 papers which deserve close review.
Windows Server Update Service(WSUS)
Image from white paper.
Apparently WSUS can be intercepted if not set up with SSL.
Go to page 17 of the paper:
Any Windows computer that fetches updates from a WSUS server using a non-HTTPS URL is vulnerable to the injection attack described in the white paper. Check the registry keys :
If HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate has a URL without a https:// address then it is susceptible to the injection attack.
Fix your WSUS configurations – setup SSL.
Also the SMBv2: “sharing more than your files” is also a dangerous security problem. Frank James calls it the “French Kiss Attack”
Apparently there is a failure in the Single Sign On design as the french Kiss attack allows the attacker to capture a Windows SSO username and NTLMv2 hashes of passwords. And then the password can be cracked with certain configurations with 8 digit passwords within 2 days.
The exploitation works when a computer tries to connect a remote share on the Internet, they can then sniff the traffic and steal the password hashes.
The problem is also for any Windows public terminal servers (Or cloud servers). So do you have a cloud system? Do you connect to a remote desktop system with terminal services? Then you are susceptible with this attack.
Microsoft says to block SMB traffic at the perimeter level (port 137,138,139,and 445)
That is a short summary for now – I may edit this post later.