Bosses love Excel...hackers too!
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Number of Parts | 122 | |
| Author | ||
| License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/40547 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
DEF CON 1996 / 122
3
5
10
11
12
22
23
24
30
31
32
38
43
46
47
49
51
54
56
59
60
62
71
73
76
84
85
88
92
93
96
97
98
104
106
109
112
113
115
119
00:00
Boss CorporationComa BerenicesHacker (term)Tournament (medieval)Dean numberComputer virusPerfect group
00:55
Bridging (networking)Pi
01:31
TowerComputer animation
02:00
TrigonometryAreaIndependence (probability theory)Medical imagingComputer animation
02:48
Coma BerenicesService (economics)Cartesian coordinate systemSign (mathematics)InformationIntegrated development environmentPoint (geometry)Server (computing)Recursive descent parserConnected spaceWindowRevision controlRemote procedure callSoftware testingHacker (term)Radical (chemistry)Computer file
04:13
Asynchronous Transfer ModeTouchscreenData compressionKey (cryptography)Stem cell factorRevision controlAddress spaceWebsiteFormal grammarData managementPhysical systemOrder (biology)Server (computing)Cartesian coordinate systemTournament (medieval)Remote procedure callWebsiteSoftware testingComputer fileData managementOrder (biology)Demo (music)Domain nameExtension (kinesiology)Suite (music)Physical systemFile formatComputer animation
05:25
Transportation theory (mathematics)Execution unitTerm (mathematics)Web pagePhysical systemComputerSoftwareDatabaseLink (knot theory)InformationSystems engineeringMeta elementComputer fileDemo (music)Cartesian coordinate systemWebsiteLecture/ConferenceComputer animation
05:55
EmailRegular graphClique-widthRepeating decimalAddress spacePasswordSoftwareComputer fileDemo (music)Integrated development environmentComputer animationLecture/Conference
06:46
Execution unitLogicHill differential equationPermanentWaveFinite element methodTransportation theory (mathematics)Directed graphPhysical systemInformationDatabaseLink (knot theory)SoftwareState of matterDatabaseComputer animation
07:31
Exploit (computer security)Address spacePasswordSoftwarePasswordInternetworkingPhysical systemComputer fileConfiguration spaceIP addressPythagorean theoremRight angleInformationComputer animation
08:27
Execution unitSample (statistics)Module (mathematics)InternetworkingComputer filePasswordComputer iconInformation
09:03
SoftwareMessage passingError messageData modelCache (computing)Electronic data processingGastropod shellService (economics)WebsiteComputer fileInformationStructural loadFocus (optics)Revision controlCartesian coordinate systemRadical (chemistry)Server (computing)LogicCommunications protocolMereologyDifferent (Kate Ryan album)Physical systemError messageOperating systemConfiguration spaceComputer configurationGastropod shellComputer programmingElectronic mailing listNeuroinformatikOperator (mathematics)Incidence algebraExterior algebraMessage passingCellular automatonComputer animation
11:01
Computer programMobile appComputer fileOperating systemServer (computing)Procedural programmingConnected spaceMobile appCAPTCHAType theoryMotion captureLecture/Conference
11:41
NumberCalculusMessage passingElectronic mailing listCartesian coordinate systemParallel portThread (computing)Control flowError messageFerry CorstenComputer animationSource code
12:40
Cartesian coordinate systemNeuroinformatikElectronic mailing listFerry CorstenServer (computing)Radical (chemistry)Integrated development environmentComputer animationLecture/Conference
13:14
Link (knot theory)Variable (mathematics)Integrated development environmentServer (computing)Computer programDigital electronicsComputer configurationIntegrated development environmentLink (knot theory)Variable (mathematics)Hacker (term)System administratorBookmark (World Wide Web)WindowMereologyError messageOperating systemCartesian coordinate systemOnline helpPhysical systemServer (computing)
13:52
Physical systemWechselseitige InformationUsabilityChecklistSheaf (mathematics)Computer programBit rateInformationWindowGroup actionDemo (music)Cartesian coordinate systemOnline helpComputer fileLink (knot theory)Open setInternetworkingMereologyDifferent (Kate Ryan album)Operating systemKeyboard shortcutCASE <Informatik>Key (cryptography)Multiplication signShift operatorMenu (computing)Demo (music)Game controllerWebsiteOperator (mathematics)Computer animation
14:51
Server (computing)Demo (music)Demo (music)Integrated development environmentClient (computing)Office suiteServer (computing)PhysicalismOpen setCartesian coordinate systemConnectivity (graph theory)WebsitePhysical systemRight angleComputer animation
16:55
Demo (music)Server (computing)InternetworkingComputer animation
17:23
InternetworkingMetropolitan area networkGodComputer animation
18:07
GodSoftwareComputer animation
18:57
InternetworkingOpen setComputer animation
19:28
MIDIExecution unitUser profileCellular automatonVideo game consoleComputer filePower (physics)Operating systemKeyboard shortcutInternetworkingMathematicsCartesian coordinate systemPhysical systemIntegrated development environmentOpen setRootComputer animation
21:13
Demo (music)Server (computing)Discrete element methodMaxima and minimaComplex (psychology)Mobile appBoss CorporationRadical (chemistry)Server (computing)Remote procedure callCartesian coordinate systemOperating systemBookmark (World Wide Web)Boss CorporationData miningComplex (psychology)Demo (music)DatabaseConnected spacePower (physics)Computer animation
22:31
Computer fileOffice <Programm>Computer programConfiguration spaceDigital signalRecursive descent parserClient (computing)Electronic data processingMathematicsWindowRadical (chemistry)Server (computing)Macro (computer science)Integrated development environmentInformation securityDefault (computer science)Virtual machineOffice suiteUniform resource locatorDifferent (Kate Ryan album)Computer fileComputer configurationInternetworkingArm
23:38
Maxima and minimaCartesian coordinate systemVisualization (computer graphics)Radical (chemistry)Macro (computer science)Virtual machineComputer configurationServer (computing)Computer fileCASE <Informatik>Information securityIntegrated development environmentMultiplicationComputer animation
24:07
Content (media)Macro (computer science)Trust CenterOpen setInformation securitySource codeHacker (term)Machine visionComputer configurationDefault (computer science)Visualization (computer graphics)Computer fileVirtual machineCartesian coordinate systemWindowResultantSubject indexingProcess (computing)Data managementBus (computing)Boss CorporationContent (media)Graph (mathematics)Computer animation
25:05
SoftwareHash functionDigital signalPublic key certificateMobile appPresentation of a groupInterpreter (computing)WindowServer (computing)System administratorDirectory serviceIntegrated development environmentSound effectVideo game consoleWater vaporRemote procedure callWorkstation <Musikinstrument>Demo (music)BackupComputer fileInformation securityCellular automatonPhysical systemComputer animation
26:33
Macro (computer science)Extension (kinesiology)UsabilityWindowServer (computing)Interpreter (computing)Windows RegistryText editorComputer fileLine (geometry)Computer animation
27:31
Execution unitMaxima and minimaWell-formed formulaMUDArtificial neural networkWeb pageImage warpingRandom numberWindowInterpreter (computing)Video gameStructural loadComputer fileData managementSlide ruleProgram slicingComputer animation
28:03
Macro (computer science)CASE <Informatik>Real numberDemo (music)Office suiteMacro (computer science)CASE <Informatik>Computer configurationDecision theorySubject indexingCartesian coordinate systemVirtual machineComputer fileVisualization (computer graphics)
28:48
Macro (computer science)Maß <Mathematik>Integrated development environmentWindowInformation securityMacro (computer science)Uniform resource locatorDefault (computer science)User profileComputer fileClient (computing)Directory serviceVirtual machineState of matterTemplate (C++)Connected spaceSelectivity (electronic)Closed setComputer animation
31:23
Macro (computer science)Uniform resource locatorDemo (music)System administratorPhysical systemMacro (computer science)AuthorizationPublic key certificateSource codeComputer animationMeeting/Interview
31:55
Maß <Mathematik>WaveComputer configurationCASE <Informatik>2 (number)Macro (computer science)Digitizing
32:43
Hill differential equationGamma functionStructural loadExecution unitConvex hullTerm (mathematics)Electronic signatureInformationOnline helpContent (media)Sign (mathematics)Public key certificateVulnerability (computing)RootMIDISource codeOcean currentFocus (optics)Macro (computer science)Square numberTask (computing)Public key certificateLink (knot theory)Content (media)Message passingOnline helpComputer fileLevel (video gaming)Electronic signatureComputer configurationSubject indexingRootMultiplication signInstallation artPerfect groupAuthorizationComputer animation
34:46
Macro (computer science)Sign (mathematics)ComputerLink (knot theory)Public key certificateMacro (computer science)SequelInstance (computer science)InjektivitätSign (mathematics)Computer fileCore dumpCryptographyVulnerability (computing)Computer animation
35:25
InfinityProgrammable read-only memoryPhysical lawForm (programming)Vulnerability (computing)InjektivitätVirtual machineInstance (computer science)Computer file
35:57
InformationAuthorizationFilm editingIntegrated development environmentRemote procedure callCartesian coordinate systemPoint (geometry)Query languageSource codeComputer animation
36:32
OracleHost Identity ProtocolWeb pageLimit (category theory)Mobile appMessage passingServer (computing)Radical (chemistry)Integrated development environmentWeb 2.0System administratorOperating systemInformation securityRemote procedure callCartesian coordinate systemComputer configurationOperator (mathematics)Computer animationSource code
37:34
Computer programConnectionismCartesian coordinate systemServer (computing)Radical (chemistry)Web 2.0Computer animation
Transcript: English(auto-generated)
00:00
Hello. Hello, everybody. How many of you speak Spanish? Okay, perfect. Well, we got here a trophy because today, this morning, we had a tournament of soccer and our team won the trophy. The Spanish team, the FOGA team, I'm sorry for Argentina and South Africa, the
00:24
rest of the team, we won the trophy. Next year, maybe. Well, thank you for coming to this session. First of all, let me introduce to us, my friend is Juan Garrido and I'm
00:45
Cem Alonso. We are working in a small company in Spain called Informáriga64 and before that, before starting with the topic, we would like to introduce our country. We are from Spain. Probably, it's a small country. This is a small country in the middle
01:04
of everything. We are in the middle of Europe and Africa and South America because of our history and if you never went to Spain, you have to go there. I'm from Madrid, which is a very nice city. It was the capital of the big empire five centuries ago. But it's
01:21
a very nice city and if you go to Madrid, you will never be a foreigner because if you go to Madrid, you are from Madrid, so come to our city. Juanito is from another city. It was the capital of the Arabic empire in the seventh century when Spain was an Arabic country a lot of centuries ago and from that tower is the gold's tower, the first tower
01:47
on the left, is where the gold from America came to Europe. That's the gold's tower. It's on Sevilla and Sevilla is very famous because of the parties, because of the government and so on. And especially, there are big monuments. This is one of the most
02:04
famous monuments in Sevilla. It's the Plaza de España. Probably, all of you know this monument and you have to visit it because it's a monument in which you will fall in love because if Anna Kina Skywalker fell in love in Sevilla, you can do it also. So
02:24
don't forget to visit our country. Well, Juanito is from a very small area of Sevilla, which is Triana. Triana is an independent republic in Sevilla and it's very famous for the Holy Week because they are very religious and there are thousands of people carrying
02:43
the images and of course, after that, having drinks. Well, we work in Informatica 64 and probably, some of you have been listening about FOCA, which is one of the tools that we
03:00
develop and it's a free tool that you can use for strike information, pen testing and so on. Tomorrow, we are going to deliver a workshop of eight hours with a new version, which is the version three. So if any of you want to attend, I'm not sure if you can book for a seat, but you can ask for it. What is the topic that we are going to talk
03:22
today? Well, we are going to talk about something which is very common, which is the remote application using Citrix and terminal services. There are a lot of work done previously about this topic, about Citrix application and Windows terminal services, but we still
03:42
believe that it is important because nobody is taking care about it and nobody. A lot of people have a secure environment and we are going to see how easy a hacker can get into a company just using this kind of environment. So first of all, it's very easy to
04:04
discover the entry point of a company just searching for remote application or remote connection on Google. Just searching for RDP files, you can discover almost 2,000 places, almost 2,000 servers publishing applications. Of course, you can discover also government
04:23
sites, government with remote application that you can just click on it and test it. We'll see what happens. Well, you can do the same, more or less the same in Bing. In Bing, you cannot use the extension modifier, but you can use the file type. This is a
04:43
TXT file and searching for any of the modifiers which appears in all the files, you can discover thousands of remote applications. So some of the places that we discovered with this remote application are from the government. This is one of the sites, the
05:05
patrol order management system. It's a .mil domain here in the States, but we were going to do a demo with this server, but we were talking to Jeff and Jeff phoned something, someone, and today it's fixed. I don't know why. But we are going to do the
05:25
demo with the California transportation, the Department of Transportation, which is another site. Well, just reading the websites, you can discover the remote application. There is a NICA file and you can download the file and just click on it and
05:45
see what happens. I promise five minutes ago it was working. Five minutes ago it was
06:07
working. Maybe most was fun. Well, no problem. We are going to do the next demo. Don't worry. Well, as we are going to see, there are a lot of things to worry about and
06:23
it's very complicated to secure all the environments. This picture with the demo doesn't make sense. Sorry. Sorry. Are you sure? No. I don't learn it five minutes ago.
06:52
Okay. Let's download it again. But we downloaded it five minutes ago. California,
07:09
transportation, routing database, here it is, call trans. No, no. They fixed it. Five
07:40
minutes ago it was working, believe me. Well, don't worry. Well, one of the biggest problems with these files, these configuration files, is the verbosity. Just reading the files, which are TXT files, you can discover a lot of crap information, like internal IP address, users, encrypted password. You cannot use that password. You
08:06
can extract the password from the encrypted password, but you can get access to the system using an anonymous account or a user account in the system. So these files are perfect for the people who is collecting information or for some special attacks, like the
08:25
evil great attack. Just searching on the Internet for this kind of files, just searching for an ICA file, you can search for X ICA and just search for ICA files.
08:45
Documents with RNT, you can discover files with the password for Oracle just in the text. So you don't need to do any special. There are a lot of information in that file. So due
09:06
to this, we decided to add this kind of files to FOCA, which is our tool for information gathering and for fingerprinting information about websites and companies. Right now, if you don't load tomorrow, the FOCA 3 version, you will see that in the new
09:24
version, FOCA is searching for this kind of file and extracting information and so on. The second big problem is that it's a TXT file, so whoever has the file can modify the information and can try to get access to another part of the operating system. So just
09:44
modify the configuration file and generating error messages on the server, you can discover something like all the application in the operating system. You only need to create a logic with the error messages and terminal services and server has different error
10:08
messages when you cannot get access to the file than when the file is not on the server. So just trying to ask for applications, you can extract the whole list of applications
10:20
installed in a computer. To do this in terminal services is quite simple because there is a modifier which is alternative shell. This option was created for versions of the RDP protocol previous to version 6, but it exists still in the RDP files of terminal service
10:44
2008. It doesn't work, but the option, it is there. So you can ask for an application and the terminal server will say, okay, you cannot access this program because the alternative shell is forbidden. But you will receive different error messages. So if you receive, which is in Spanish, you know that the file is in the
11:10
operating system. But if you receive, you cannot get access to this file, you know that this file is not in the server. So the good thing is that you can do the same in
11:20
Citrix and there is any protection against one connection, another connection, another connection and you don't have even to type a capture. So you can optimize this procedure with a tool we created, Kaka, which is computer-assisted Citrix apps. And it's
11:43
just a tool to do this. So you only need to open Kaka, select one IK file, a list of
12:01
break edits, command, no exits and calc. And Kaka and the number of threads that you want to use in parallel and Kaka will do this for you. So you can go to have a coffee. Kaka is
12:21
working. Kaka is working. Well, Kaka is trying to open the application and the only thing that Kaka is doing is having a snapshot. So then, when Kaka finishes, you only have to review the error messages. So, of this way, you know if the application exits or not.
12:49
You can use a very big list of applications and leave Kaka running on a computer for one day and at the end of the day, you'll get your list of applications in Kaka.
13:04
The other thing with terminal application is what we call playing the piano. In the terminal services environment and Citrix environment, there are too many links, too many
13:20
environment variables, too many shortcuts, too many options that allows to a hacker to get a special part of the system that the system administrator didn't think about at the beginning. One of our favorite is Windows Server 2008 because Windows Server 2008 wants to help you everything. So if you ask for an application which is not in the operating
13:47
system, Windows 2008 shows you an error message with a help button. Would you like help? Why not? So just clicking on help, the help application appears and in this
14:04
application, you got a lot of links to open Internet Explorer or to open the open file panel and run commands and so on. Playing the piano was a very nice thing to do with a lot of shortcuts to access different parts of the operating system, but right now, we got more and
14:25
more shortcuts, sticky case, which is a funny thing, just clicking on shift K three or four times, the operating system will show you the sticky case menu, which is within the control panel, so even if you don't have access to the control panel with the sticky
14:41
keys, you will be able to configure all the control panel of the operating system, just clicking on shift and so on. It's easy to do this. Well, let's do a demo with the, a demo with Citrix. Well, this is the website of Citrix, but you can see it
15:03
this is the website for demo servers, so it's a demo, it's legal. We got a user here, which is Tonto Del Culo, the Spanish name. The rest of the user name was taken. No. No, no, no, no.
15:34
No, no, no. No, it is working. Well, this is the environment, as you can see in this
15:47
environment, we got a lot of applications. We are going to use Excel, because this talk is about Excel, so let's go to the office application and run Excel. Excel is working. Well,
16:20
Excel is working. Well, right now, the system is downloading the client components, so open Excel. Launch. You have to open launch. No? Maybe. No, no, no. Execute. Okay. Launch.
17:01
Well, something with Internet Explorer, but we are going to launch the Excel. Excel is
17:27
working, believe me. Start in Microsoft Excel. Internet is slow. No, man. Are the
17:57
weapons working? Where is Excel? Oh, my God. Okay, it is working, at least, in the end.
18:33
Well, now connect to the remote Excel. Come on. Please, if someone is doing a man-in-the-middle
18:45
attack in this network, please, don't do it. What happened with the Internet? In
19:19
English. Hey, just open Excel. We didn't do anything. Okay. Open. Well, this is the
19:43
Citrix environment. It is supposed to be secured by the guys of Citrix, so let's try to, I don't know, use the environment variable to connect to the system root. It's forbidden to the user profile. It's forbidden, and so on, but you can do a lot of
20:03
tricks. One of the tricks that we did was just to create a shortcut to the command, finish, all files, and then run. Open. Open. Open. Open. Open. Open. Open. Open. Open.
20:23
Ah, they fixed it. No, power cell. Too many consoles. Too many consoles. Power cell. Let's change. Now we are going to use another console. Same trick, another console.
20:45
Open. It is working. Go to the. And you get access to all. It's very complicated, because every day the operating system is getting more and more complex, and the
21:01
application that we are publishing through N are more and more complex. Please stop, stop, stop, stop, stop. Don't trust in people from Sevilla, believe me. Well, the
21:21
question is that the operating system is more and more complex, and the application are getting more and more complex, so every application that you are publishing through terminal services is a path to your operating system or through terminal services. One of our favorites is the complex application, and of course Excel is one of the most
21:42
complex applications that companies are publishing through remote application services. So, the good thing is that Excel is a very powerful tool, and bosses love Excel, because you can do a lot of funny graphics and analyze a lot of data, connect Excel to
22:02
databases, perform data mining, and a lot of things, which are very good for the business. And the good is that to do all that funny things, you need visual basic for applications. If you remove visual basic for application from your Excel, your Excel
22:22
becomes another kind of application, but Excel no more. So the idea is that with Excel, you can do a lot of things. Let's do the first demo, just in local. We got a Windows 2008 with Hyper-V, no, with terminal services, sorry, and in this
22:42
environment, we published Excel 2007. We didn't use Excel 2010, because the security policy for macros are more or less the same. The main difference in Office 2010 and Office 2007 is about the sandbox, about the security option when you
23:02
download a file from an unsecure location from the internet and so on, but once you have the file in your machine, in your computer, the security policies for macros are the same. So, in this environment, we are going to execute just an Excel with
23:24
Excel. It's going to be executed in your local machine. The security option by default is that the user selects if he wants to execute the macro or not, because the user is running the macro on his machine. But in a terminal service environment, a remote
23:44
application environment, the security option by default, which is case by case, the user decides it's a bad option, because the user is running the visual basic for applications, not in their machine, but in the shared machine, which is completely different. In this environment, we are going to execute just a file with visual basic
24:05
for applications. It is working. Well, in the example, we created a panel, and this is
24:20
the by default option. The user decides, okay, enable this content or not, okay, enable. It's not my machine. So, now you can, if the boss came, you can show the graph. It's a good trick. Then open the panel. So, just, you can do a lot of things with
24:45
visual basic for application, for instance, see the process, and so on. As you can see, close, through the Windows management instrument station, you can, through commands, retrieve the results, and so then on the Excel file. Okay, let's close it. So, we go back to
25:07
the presentation. Well, after seeing this demo, it's clear that you have to take care about the security of Excel in remote environment. One of the first things that system
25:22
administrators tend to do is to block some special controls, like command con, like PowerShell, WMI, and so on. But there are too many console, and in Windows Server 2008,
25:40
the backup directories copy all those console, which it creates a double problem, because you have the double of consoles. But in this environment, we are going to have all the consoles forbidden. We've got using ACLs and using server station policies, we are going
26:08
to forbid all the consoles, as you are going to see, but we can use consoles even from other operating systems. This is a trick that was published by the D.R. Stevens, and the idea is that you can inject a DLL into your Excel file, and that DLL is a common
26:23
interpreter. So, just invoking the common interpreter from your DLL, you are going to have access to the server. So, let's do a demo with this. So, if we go to the Windows Server 2008 and try to execute command con, it is forbidden. But in the Excel
26:50
file that we are going to open, we've got a DLL of ReactOS and also a DLL for the registry editor of ReactOS. So, just open the file and open the common line. Now, the
27:06
Excel file is extracting the DLL to execute it, and we are going to obtain the ReactOS common interpreter. Actually working, I hope. Well, here it is. As you can see, we
27:26
got the ReactOS common interpreter, and it's like the common, like the command interpreter of Windows 2008, more or less the same. So, this is a good trick. So, go back to the slides. And, of course, in the tax manager, you cannot see the CMD because it's a DLL
27:47
which had been loaded by the Excel file. So, it's not in the tax manager. The user is only working with Excel, which is good for the company. So, go back to the slides.
28:04
So, of course, after seeing this demo, some of you could think, okay, we are going to disable all the macros for my machine. If you use the first policy, which is disable Visual Basic for application, it's for all Office applications, not only for Excel, it's
28:23
for Word, PowerPoint, Access, and so on. And, for Excel, you got four options. The second option is case by case, the user decides. Of course, if the user is the attacker, it's an unsecure option. The third one is no macros at all. So, in this demo, we are
28:45
going to select the no macros at all in an Excel file published through a remote environment. So, we go to the Windows 2008 and select. We are going to log off the
29:01
connection of the user. Okay. And now, we go to the policies and we are going to enable the policy and select no, no macros, no warnings for all macros. The third one, no warnings for all macros, but disable all macros. Okay. No warning and macros off. So, select
29:23
that option. Okay. Apply the policy. Okay. Active Directory is working. Okay. So,
29:42
go back to the client and open the file. And, this is one of my favorite tricks. So, when you open the document, when the document is open, you will see how it's impossible to
30:02
execute anything because everything is forbidden. Try to do anything? No, it's forbidden. You cannot do anything. But, there is something special with Excel. There are trusted locations. A trusted location is a path in which security policies are not
30:23
applied. So, you only need to save the document in a trusted location. And, of course, the trusted locations are in the user profile. So, let's save the document. We are going
30:41
to use a trusted location. You can have trusted location in the client machine or in the server machine. It doesn't matter. If the document is open from a trusted location, all the security policies will disappear. So, we are going to save in one of the most famous trusted locations, which is the default book. When you open a new file, there is
31:10
something. Close. And then, open the document from the trusted location. Here it is. Well, no
31:32
markers at all. It's not markers at all. Well, after seeing this demo, there is a solution. No trusted location at all. Well, after seeing this demo, maybe the system
31:41
administrator can trust in digitally signed macros. Only macros that have been digitally signed for a trusted certification authority. So, let's do a demo with this. In the next example, we are going to select the four options. Remember, first option, all macros.
32:03
Second option, case by case. Third option, no macros. And fourth option is only digitally signed macros. So, let's log out the data section. And then, we are going to go, go, go, go. Digitally signed macros. Okay. Okay. Apply. Okay. We can apply in
32:41
my sweeper. Meanwhile. Well, we got a digitally signed Excel file, but it's a self-signed Excel file. And we are going to obtain this message. Okay. Okay. Okay.
33:06
Well, we obtain a warning because it's self digitally signed. It's not from a trusted authority. You got help protecting me from a no content ban. There is a link. A link for
33:22
show signature details. So, just click on the link. Here is the digital certificate. So, if we go to view certificate and the certification path, we can discover the root of the
33:40
certification authority. And we can view the certificate of it. So, we can install the certificate because it's at user level. Perfect. Install the certificate. Next. It's at user level. So, no problem at all. And now, the message will change to enable this
34:10
content. And the last one is the funny one. This is very important because with this
34:27
option, you can start the third world war. Because in this example, we created a SIA that we installed right now. And if you install this SIA, every time you install
34:42
this document signed by this SIA will be okay. And in the digital certificate, there is a link for the CRL. And the CRL is a link that could be an HTTP link, an LDAP link, and an
35:01
HTTP link could be a SQL injection attack. So, if you install SIA and send an Excel file with a digital signed macro to someone relevant in the company and he or she opened the document, automatically the crypto will try to connect to the CRL. So, if you
35:24
discover, for instance, a SQL injection vulnerability in the core of China, for instance, and you can install one of these rogue SIA in one of the DHAs machines and
35:41
you send a file to a user which is working in that machine, you can discover who user are working in what machine using FOCA. You can start the third world war. Well, just kidding, but we are going to do the demo in logo. So, in this example, that trusted
36:03
authority has now the CRL. So, we are going to open a netcat and we are going to send the document to a user. In this environment, it's the same user, but the problem is that in remote application environments, there are a pool of users that are shared for the rest of
36:25
the user. So, we are listening and let's see if the query is okay here. Okay, as you can see, there is some message. Notice PHP ID five equal five sat down. Minus,
36:44
hello, Aurora. I don't know, whatever. So, in the end, as you can see, it's very complex. It's very difficult to harden an environment with remote applications. So, if you got a terminal services environment, publishing a lot of application or a citizen environment, the
37:02
first thing that you have to do is reevaluate the security of the whole environment, reevaluate the security of all documents. Of course, you have to trust that nobody, not anybody, because in some operating system, nobody could be dangerous. And be sure about
37:22
the application that you are publishing. One of the funny things that we discovered is that in terminal services, with the terminal services web access, a lot of administrators are using this option, which is hide in terminal server web access. That means that if you have a remote application published on your terminal services, this
37:44
application won't appear in the HTTP panel, but the application is still published. So, if you know the name of the application, you can connect to that application. And that's all. Thanks for standing here.