Kiosk Hacking Redux

Video thumbnail (Frame 0) Video thumbnail (Frame 1532) Video thumbnail (Frame 4463) Video thumbnail (Frame 5638) Video thumbnail (Frame 6859) Video thumbnail (Frame 7758) Video thumbnail (Frame 8754) Video thumbnail (Frame 10009) Video thumbnail (Frame 11150) Video thumbnail (Frame 13237) Video thumbnail (Frame 15579) Video thumbnail (Frame 18569) Video thumbnail (Frame 22224) Video thumbnail (Frame 25583) Video thumbnail (Frame 29632) Video thumbnail (Frame 30683) Video thumbnail (Frame 31881) Video thumbnail (Frame 32883) Video thumbnail (Frame 34091) Video thumbnail (Frame 35074) Video thumbnail (Frame 35975) Video thumbnail (Frame 37491) Video thumbnail (Frame 38434) Video thumbnail (Frame 39388) Video thumbnail (Frame 40497) Video thumbnail (Frame 41522) Video thumbnail (Frame 42790) Video thumbnail (Frame 43816) Video thumbnail (Frame 44920) Video thumbnail (Frame 45858) Video thumbnail (Frame 46809) Video thumbnail (Frame 47823) Video thumbnail (Frame 48799) Video thumbnail (Frame 49817) Video thumbnail (Frame 50853) Video thumbnail (Frame 52293) Video thumbnail (Frame 53207) Video thumbnail (Frame 54133) Video thumbnail (Frame 55284) Video thumbnail (Frame 56213) Video thumbnail (Frame 58023) Video thumbnail (Frame 59218) Video thumbnail (Frame 60132) Video thumbnail (Frame 61075) Video thumbnail (Frame 62082) Video thumbnail (Frame 63262)
Video in TIB AV-Portal: Kiosk Hacking Redux

Formal Metadata

Kiosk Hacking Redux
Alternative Title
Internet Kiosk Terminals : The Redux
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Paul Craig - Internet Kiosk Terminals : The Redux Paul Craig is the self-proclaimed "King of Kiosk Hacking" You have likely heard of him or his pornographic tool iKAT (Interactive Kiosk Attack Tool). For the last 3 years he has dedicated his life to striking fear into the hearts of Kiosk vendors. This talk will compromise all of his latest advancements in the field of hacking Kiosk terminals. Multiple platforms, vendors, technologies and more shells than you can shake a stick at. If you have ever wanted to hack that lonely web-browsing computer in the corner of a room, this is the talk for you. This talk will also showcase a live freestyle Kiosk hacking session, with a truck load of slick ninja techniques and zero-day. Watch out - the King of Kiosk hacking is back in town. Paul Craig works at with a bunch of some of the best hackers in the world. Paul lives for hacking, it's in his blood! From the age of 13 he has have been addicted to popping shells, stealing access and escalating privileges. He loves his job and is fully committed to the trade.
Point (geometry) Slide rule Presentation of a group Interactive kiosk Coma Berenices Perturbation theory Power (physics) Hacker (term) Internetworking Interactive kiosk Software testing Right angle Hacker (term) Information security Chi-squared distribution
Point (geometry) Game controller Multiplication sign Interactive kiosk Chaos (cosmogony) System call Neuroinformatik Number Internetworking Software Internetworking Interactive kiosk Gastropod shell Video game Right angle Software testing Gastropod shell Hacker (term) Information security Window Metropolitan area network
Interactive kiosk Interactive kiosk Gastropod shell Software industry Entire function Computing platform Subset Product (business)
Scripting language Presentation of a group Interactive kiosk Interactive kiosk Gastropod shell Electronic mailing list Cuboid Website Right angle Series (mathematics) Plug-in (computing) 2 (number)
Presentation of a group Uniform resource locator Gastropod shell Interactive kiosk Videoconferencing Chaos (cosmogony) Game theory Computer-assisted translation Information security Exploit (computer security) Game theory Software bug
Standard deviation Touchscreen Interactive kiosk Chaos (cosmogony) Software bug Radical (chemistry) Digital photography Goodness of fit Process (computing) Hacker (term) Touch typing Quicksort Hacker (term) Computer-assisted translation Information security
User interface Game controller Functional (mathematics) Group action User interface System administrator Interactive kiosk Bit Chaos (cosmogony) Latent class model 2 (number) Product (business) Data model Word Integrated development environment Interactive kiosk Gastropod shell Energy level Endliche Modelltheorie Information security Information security
Mathematics Integrated development environment Key (cryptography) Interactive kiosk Gastropod shell Website Cloning
Game controller 1 (number) Chaos (cosmogony) Web browser Number Neuroinformatik Data model Different (Kate Ryan album) Operating system Physical law Endliche Modelltheorie Information security Computing platform Keyboard shortcut Physical law Interactive kiosk Computer Instance (computer science) Radical (chemistry) Process (computing) Software Interactive kiosk Website Right angle Information security Library (computing)
Code Multiplication sign Sheaf (mathematics) Chaos (cosmogony) Open set Web 2.0 Sign (mathematics) Different (Kate Ryan album) Hypermedia Semiconductor memory Cuboid Office suite System identification Vulnerability (computing) Email File format Structural load Computer file Web application Macro (computer science) Numeral (linguistics) Order (biology) Right angle Hacker (term) Probability density function Web page Trail Game controller Computer file Letterpress printing Web browser Graph coloring Hacker (term) Software Gastropod shell Energy level Maize Macro (computer science) Computing platform Metropolitan area network Execution unit Dot product Interactive kiosk Plastikkarte Counting Cursor (computers) Cartesian coordinate system Software Information retrieval Computing platform Window
Installation art Computer file Java applet Code System administrator Chaos (cosmogony) Open set Web browser Trigonometric functions 2 (number) Hacker (term) Gastropod shell Communications protocol Plug-in (computing) Chi-squared distribution Email Key (cryptography) File format Interface (computing) Interactive kiosk Cartesian coordinate system Web browser Integrated development environment Software Royal Navy Quicksort Communications protocol
Mobile app Backup Group action Run time (program lifecycle phase) Code Flash memory Numbering scheme Chaos (cosmogony) Web browser Public key certificate Emulation Local Group Crash (computing) Sign (mathematics) Hacker (term) File system Gastropod shell Computer-assisted translation Exception handling Validity (statistics) Block (periodic table) Binary code Interactive kiosk System call Local Group Entire function Integrated development environment Software Crash (computing) Interactive kiosk Right angle Heuristic Gastropod shell Hacker (term) Window Probability density function
Windows Registry Trail Computer file Cone penetration test System administrator Flash memory Reflection (mathematics) Web browser Information privacy Product (business) Front and back ends File system Gastropod shell Game theory Chi-squared distribution Parsing Information Reflection (mathematics) Content (media) Interactive kiosk Plastikkarte Password Configuration space Text editor Computer worm
Web page Open source Java applet Weight Interactive kiosk .NET Framework Physicalism Chaos (cosmogony) Product (business) Web 2.0 Revision control Goodness of fit Logic Hacker (term) Internetworking Gastropod shell Right angle Metropolitan area network Window
Execution unit Standard deviation Demo (music) Integrated development environment Videoconferencing Interactive kiosk Plastikkarte Information security Computer programming
Web 2.0 Direct numerical simulation Execution unit Internetworking Block (periodic table) Virtual machine Plastikkarte Website Chi-squared distribution
Trail Functional (mathematics) Computer file Java applet Interactive kiosk .NET Framework Open set Cartesian coordinate system Neuroinformatik Different (Kate Ryan album) Hypermedia Software framework Computing platform
Computer file Software Ring (mathematics) Projective plane Letterpress printing Right angle Information security System call Window
Online help Cantor set Gastropod shell Lattice (order) Hill differential equation Computer-assisted translation Local Group Dynamic Host Configuration Protocol
Revision control Sign (mathematics) Software Online help Cartesian coordinate system
Execution unit Link (knot theory) Binary code Drill commands Interactive kiosk Gastropod shell Proxy server Local Group
Revision control Execution unit Link (knot theory) Demo (music) Multiplication sign Gastropod shell Physical system
Type theory Process (computing) Integrated development environment Multiplication sign Interactive kiosk Right angle Physical system
Type theory System administrator Website Client (computing)
Revision control Morphing Hacker (term) System administrator Interactive kiosk Right angle Metropolitan area network Window
Arm Link (knot theory) Perpetual motion Interactive kiosk
Dot product Standard deviation Term (mathematics) Hacker (term) Interactive kiosk Chaos (cosmogony) Extension (kinesiology) Window Computing platform Spacetime
Morphing Wechselseitige Information Execution unit Moment of inertia Computer file Server (computing) Interactive kiosk Right angle Window Neuroinformatik
Computer file Integrated development environment Interactive kiosk Configuration space Quicksort Host Identity Protocol Power (physics)
Execution unit Projective plane Letterpress printing Gastropod shell Open set
Web page Root Computer file Gastropod shell Interactive kiosk Error message
Greatest element Roundness (object) Integrated development environment Multiplication sign System administrator Interactive kiosk Interactive kiosk Web browser Window Resultant
Computer file Validity (statistics) Gastropod shell
Touchscreen Process (computing) Code Password 1 (number) Window
Performance appraisal Bit rate Password Revision control Hill differential equation Cartesian coordinate system Measurement Window Physical system
Data management Password Software testing Physical system Task (computing)
Web 2.0 Revision control Server (computing) Software developer Bit Data conversion Information security Metropolitan area network
Installation art Computer file Software System administrator Extension (kinesiology)
Revision control Web page Web 2.0 Graphical user interface Mathematics Computer file Computer configuration Content (media) Configuration space Asynchronous Transfer Mode
Web 2.0 Computer file Multiplication sign Control flow Data conversion Metropolitan area network
Web page Dynamical system Context awareness Computer file View (database) Source code Menu (computing) Web 2.0 Message passing Causality Term (mathematics) Configuration space Right angle File viewer Booting
Web 2.0 Pixel Set (mathematics) Text editor
NP-hard Domain name Server (computing) Link (knot theory) Open source View (database) Source code Trigonometric functions Web 2.0 Revision control Digital photography Spherical cap Internetworking Semiconductor memory Single-precision floating-point format Gastropod shell Software testing Computer-assisted translation Software protection dongle Vulnerability (computing) Collaborationism Execution unit Validity (statistics) Structural load Interface (computing) Projective plane Keyboard shortcut Moment (mathematics) Interactive kiosk Content (media) Plastikkarte Staff (military) Entire function Type theory Digital photography File archiver Text editor Cycle (graph theory) Quicksort Freeware Simulation Software protection dongle
well hello Def Con my name is Paul Craig I work for a company called security
assessment com I live in sunny Singapore possibly the other place that's as hot as Vegas I'm a pen tester and basically a hack stuff but this is this is my world okay so it says overview um this
is a hacker conference right and when I come to a hacker conference the last thing on if I can see is PowerPoint why do I not want to see Power Point because PowerPoint is not hacking all right so I do have a slide deck I'm going to go through my slide deck but i'm specifically designs presentation so there's actually not a whole lot of slides i don't really like slides we're going to do lots of hackett specifically we're going to be having kiosks internet kiosks dimmers so i'm going to explain to you guys who i am what my fetish with kiosks is about how I break into kiosks and i'm just going to phi can break into kiosks alright and yeah we will have some fun okay so what is an internet
kiosk internet kiosk why as you can see from the picture just there that was taken the Rio it's basically that little computer sitting in the corner of a room that has internet access so it's usually an x86 desktop running some breed of Windows sometimes linux at cost you four five dollars and you can browse the internet and you can do something on it now you find them obviously hotels motels airports boys crazy places okay
so I kind of call myself the self-proclaimed king of chaos hacking so health has come about about five years ago I got a pen test engagement working for a bank in New Zealand and the penthouse engagement was to look at a kiosk that they were deploying in the foyer of the bank as kiehl's was de plugged directly into the corporate network so I rocked up as they are noticing when these kiosks before I'm sure I can what we do something with it and I found pretty quickly that I could I can actually bust through the kiosk I've access to the OS the from the RSI full access to the bank's corporate network in the foyer so I the only have to go through the security goals and I think pretty much from that point on I was fucking hooked on these things because I realized that on it's the attack avenue that people don't we think about it's the thing that um yeah it's the thing that works as well so I was hooked fascinate addicted obsessed and basically I spent all my time hacking his kiosk my colleagues were saving like Paul where the fuck do you want to hack these things but I'm a new right then and there that I just had to become the world's best person in hacking these damn kiosks so my colleagues continued to call me over the years that crazy kiosk I all I did was hacked kiosks whenever I saw them at to get shell and actually became quite a problem for me it became an addiction it became something that really started control my life so I had to go see a psychiatrist I found someone on it and I've talked about someone and they said look man you have what's gonna addictive personality essentially you can become addicted to things that aren't addictive fucking awesome excellent okay all right you need a distraction I was told you need a distraction so like okay all right distraction number one now I
didn't really work so well distraction over to now I didn't really work so well distraction well three instead kiosk
they just they won so of course the age
stages of grief the seven stages acceptance I basically realized that there's got to be someone in the world who's hacking these kiosks if I don't do it the vendors gonna fucking when we can't have that so i said screw it you know let's take ownership of my addiction that's embraced my passion let's fucking hack all of them every vendor every product every platform systematically method aut?k lee create and publish everything i do i basically be very open about this and trying to rape and pillage all the kiosks act more it's basically one go from new zealand vs the entire kiosk software industry so
i wrote a list of every dl spender i could find there's like 22 23 of these guys and for each vendor i tried to produce a series of repeatable steps i wrote tool scripts add-ons plugins all these things that helped me compromise these kiosks and then I try to compile all of my research and all of my tools into one place I wanted it to be easy for all you guys to basically hack a kiosk as well as they have me in a box so to speak and of course the fruit of all my efforts became I can't the interactive kiosk attack tool it's essentially a software-as-a-service website that you visit former kiosk right and this website owns the kiosk for you you collect shells appear is basically how it goes right you guys see where this is going So Def Con 16 I
rocked up to Vegas sounds like woohoo I got this thing called I catch check it out and it went well you actually went really really well too well during my presentation I said you guys know you can hack all the kiosks in the riv in about 10 seconds and they did for anyone
who was at the Rev they actually had the security guards and then we had the police there and if you guarding the kiosks because basically were just popping shells to facing them and having porn up on the kiosk and this really
began the cat and mouse game of kiosks with me and particularly with chaos vendors so majority of chaos vendors found out about I can't they watch the presentation when the videos got released and they started fixing all of the stuff that I found all of my bugs they also blocked by cat URL so an ok alright year later I kept to I rolled around I found new bugs I found new exploits new tricks new technologies like fuck you guys I'm you know I'm gonna do it again so I did it again and it was also my dose of shells who are then a few months have to release same thing happened again they fixed it all so it's like okay all right I'm a
professional hacker you you can't stop me and I will win I'll just keep going I'm very persistent so next year rolled around defcon 18 I released this I can't be three cents Leessang same deal you're owed a new tricks new magic and also trying to just expand everything that I could own so I focused on such acts terminals touch screen kiosk photo kiosks basically anything that you can interact with touch you could pop shower all right yeah that the downside of this this sort of approach is that I've actually single-handedly raised the security bar for internet kiosks terminals because every year these guys fix like vast quantities of bugs yeah yeah it's good for you guys that's also a few guys to crap this makes my job a lot harder all right so def gone
19 I came up with while I said screw it let's do it again so I can't for I can't be the Vengeance edition but it's gonna taking vengeance against the chaos vendors I cat is now used by about 35 to 40 kiosk per day all around the world I see airports hotels lots and lots of places lots of casinos and it's now become basically the de facto standard for hacking your kiosk and vengeance is by far the smoothest easiest mostly bug-free kiosk hacking tool it also features this very nice commissioned artwork of the icap girl holding a bloody heart yeah so this is what I'm going to be having some kills with today oh look here's a kiosk we had to it this
was actually in Vegas yesterday day before so you can see just down at what it works ok so a little bit about how
Kaos work how the kiosk security model works keo offenders obviously take security very seriously the reason they take security very seriously is that a secure chaos product is not a cheap kiosk product so you see lots of words about a monitoring and protecting and blocking and restricting I act yeah user access system management pc lockdown access controls basically they try and stop me from doing stuff on the kiosk and stop you guys now how do they do this they do this through four distinct methods firstly they have what's called user interface security you'll find that on a kiosk you're messing all the buttons you're missing maybe like the start bar you're missing you missing menus toolbars you know you're missing the functionality you want you missing the way to get to explore or pop shell second thing you'll notice is that you have an activity blacklist if you do pop shell the kiosk will probably detect that you pop to chow and then try and close the show you like oh no you're running a tool which is prohibited thirdly the chaos usually running in a hardened cure environment so you'll find group policy SRP and AppLocker throughout the kiosk so they try and restrict you unblock your every possible level okay so this
is an example of how how a key especially locks itself down this is site kiosk this guy's really fucking hate me we see that when we run it's like kiosk just how much the XP desktop environment changes so we have standard XP here it runs like kiosk bang the stop bar disappears and it gets replaced with
this warrants that kind of clone and it's kind of gummy you know like it's missing all the staff and we're now inside the jail kiosk environment now inside their little shell all right so
these are the things I've learned about the kiosk security model firstly black ones don't work and the security industry we know that blank let's do not work if you stop me from doing one thing I'll do it a different way because there's like 10 million ways of doing the exact same thing on any modern operating system the second thing i found was that websites you visit from a kiosk terminal usually have more access controls or access rights than you as a person on the kiosk itself all right so none of the vendors really took in consideration of the remote attack they still think someone would do it haha thirdly the underlying browser libraries that these kiosks are based on but usually IE all right so IE has this security model where it basically trusts that do on the keyboard it'll ask you it'll say do you want to run this are you sure you want to run this this can potentially come from a malicious website well if you're hacking the kiosk you say yes this is a problem and lastly Microsoft
has these tan immutable laws of security and basically law number three the bad guy has unrestricted physical access to a computer it's not your computer anymore fucking mine all right so our operating systems will trust the local user so kiosk software has to go against the grain of the operating system essentially the chaos vendors have the hardest job in the world because the operating system is trying to contrast what the kiosk software is doing and all you need is one instance all you need is one instance where the chaos platform will trust you are then bang you got shell as you'll see is very easy to get shot ok so how can kiosks the great
thing about hacking kiosk is that it's really goddamn easy it's like solving a puzzle essentially the problem is how do you pop shell without a stopper all right so maybe you go like file open then fine start but or find CD dot exe and run that maybe you find a creative or a different way of using windows in order to get what you want it's very visual it's very easy to follow and I actually think it's very hackery you know like you can almost see this in hackers the movie kind of thing all right so this is my approach for breaking kiosks this is a quick rundown on my methodology first thing I do is I try and identify the platform and the vendor software own use I figure out what my attack platformers all right I'll show you guys I can I run through how I do this using my tool but essentially have a button that says detect applications and it goes around it tells you what's on the kiosk what's installed and what you have to fuck with we can also visually tell quite a few things so this is a Linux kiosk I can tell it's a Linux chaos because the mouse cursor isn't as well drawn as the windows one and it's about that funny little stock watch thing the buttons have a different level of depth than a different amount of color but you tell that this is Linux just visually by looking at it are they on the other hand this is windows we can tell the mouse cursor is different all right we can also talk to this got all these fucking crap on the page yeah we can visually really identify what our platform is so
the next thing I do is I try and enumerate all of the available windows all right so what I'm looking for when I say a numerate windows as I'm looking a common dialog it's a file open file print file save the reason I want file open or file save is that these controls essentially use explorer and explorer is webdav enabled alright so let me let me pose in a different way if i can get notepad to spawn up on a kiosk i can use notepad and go file open HTTP colon forward slash forward slash file and it will download that file and put it into notepad because the file open box is web to have enabled it's essentially a web browser so anything we use those file open we can retrieve files anything that's file save we can actually save files remotely using web dev so we find credit card slot tax we can file save to another place the third thing I do is I try and enumerate all of the applications that are installed so I look to see if there's a PDF Reader installed as office installed microsoft media player is anything installed on the kiosk that i can potentially leverage pop shop so can i load a PDF file which will then load cmd.exe can i load an excel file which will have an embedded c md dot exe inside of it in all these file format tracks can i use another handling application to escape out of the kiosk gel and we can also try different methods of trying to retrieve these files we might find that a kiosk will restrict down downloading xls files but if we download like far xls ? text then the fire gets retrieved so these are standard vulnerabilities typically web application vulnerabilities that we see in kiosk software so yeah I had this email I get a lot of found email i guess you'd say don't do from egypt and he was like hey Paul I want to hack the Egyptian tax kiosk I was like holy shit man you get caught they will fucking kill you so like okay all right um I think I can work with I work with this I've been talking to him tyler stevens at the time and idler i come out with his own excel in memory trick we basically uses excel to create a section of memory marked as executable and jumps into it and that section of memory contains CMD doc dll and so you get a command prompt loaded inside the context of excel so I basically took diverse Stephen stuff I have my own code signing stuff good i signed all his macros and i created this tool called office count which I gave to
this Egyptian dude I'm basically you notice the excel file this example of using excel file it's basically escape out of a key of Roman you just open up click open command line wait a few seconds here then a command prompt pops
up so this is an example using a relatively innocent file type to escape out of an environment the fourth thing I
do is I look for registered your ID protocol handlers so I look for things like mail to call to http shell I try and use a URI handler to spawn another application that application that i spawned maybe that has a common dialog maybe that its way of opening a file maybe that as a way of escaping the environment I also look for any internal URI handlers that the kiosk software might have so is there an admin colon for such for such things like psych kiosk have their own sk admin euro honda where you can access an administrative interface then I try and install my own browser add-ons we're on browser plugins so I can't has java activex click wands yeah i got all sorts of all sorts of things now i kept one and two was full of all these add-ons i had so many so many cool little nifty plugins and all of them were unsigned because i don't have the cosine sir and the vendors saw this as a great opportunity to fuck with me so they basically blocked any unsigned plugins from being installed on any chaos night as well clearly now this evil hacker can't afford to buy a cosine his stuff so I set up a big banner like on I can't say donate please donate please donate I need a code science stuff cut it turns out hackers are really fucking cheap because I got maybe about twelve dollars oh man seriously but um I was actually a key opps vendor who contacted me and I said look maybe maybe we can do a partnership here and I'll tell you some problems wrong with your software and return you give me enough money to buy a cosine exert so I help them secure their software I got a co-signing sir fucked all the other vendors so so now you'll see that all of my all my plugins all my tools are all my files absolutely everything i have have been signed by shiny soft limited so this basically gives you the best possible chance of getting your ad on your plugin installing the kiosk the such thing i
found was actually is easy just to crash the fucking chaos because when you crash the kiosk environment guess what happens you get to the desktop it's like wow this is really fucking easy all I have to do is create an unhandled exception and a browser while that is really damn trivial it's very very easy so flash PDF we how many people have ever had a browser crash on them right i mean it's it's not difficult and it's very very easy to pop out of kiosk using this truck so I call this mo kio scheme now
the seventh trick I find usually once I've on pop shell on a kiosk I try and hack the wind shell itself so when she'll hacking is essentially trying to manipulate the GUI environment the windows has shown me so when you are using Windows desktop obviously the windows you see are not all the windows that are available on their desktop a lot of the windows are marked though us visible equals false all right and you might have some really interesting windows here you might have liked admin windows you might have backup software that's running you might have tools running in the systray which you can't see but they're still there so I've developed a whole lot of tools which basically allow you to make windows visible cool things called like make visible all right wind spies you click buttons more windows appear use those windows you escape alright so what's new and I can't for Dan so um firstly I've been finding that a lot of kiosks these days are deploying more and more srp srp group policy and app Locker really trying to restrict like you cannot run cmd.exe or any binary signed by Microsoft so it's like okay all right how can I get around this how can i defeat this so what I did was I wrote a little tool which traverse the entire windows file system and heuristic Lee looked for any calls checking local group policy or checking SH is restricted and if it finds that it knocks it out or it patches it out this basically gave me about a hundred binaries out of windows which do not validate local group policy which is really fucking handy right I then took all of these binaries and I relinked them all right so by linking them I'm going to bypass AV the executable now looks noticeably different ok so two down then I signed it with my own code signing certificate so it's no longer signed by Microsoft so if you have an srp policy which says block microsoft it's not signed by Microsoft the three down and I'm basically left with a nice little executable that you can run that will just work I won't validate anything nothing blocks it and it just works so I cats now full of the stuff yes there as an example unlocked CMD to exhume run time by showing yourself I discovered
that sometimes there are files on kiosks that you want to view sometimes you want a few like credit cards text you find Arceus the only problem is like they've removed notepad there's no text editor you can't spawn notepad so I thought well why don't you just upload the file to me and I'll reflect the contents back to you so you select the fine say our I want to view this file use the final reflection track of I cat and we'll send you back the file contents so then you can look at it so it's pretty handy for config files a particularly kiosk kiosk infect CFG kind of thing that contains admin password equals a very easy way of retrieving information now have registry file system config files asprey hundred trigger then I decided it would actually
be really handy just to wrap metasploit around this entire thing like what the hey I mean metasploit can help me so I set up my own modification of browser auto cone caught I cap auto poem which basically you know one click and it uses a download and exact payload make downloading exact payload will then try and spawn shells and privacy and spawn shells so basically you click and then a whole lot of fucking shells appear as what supports down to it but it's fully metasploit on the back end now this is handy when you have commercial kiosks shipping with flash 6 which came out 2004 this was like an up-to-date kiosk product that I found so shit like this yeah it's incredibly easy to metasploit now I was out drinking
with some of my buddies so my colleagues and they said Paul I counts really fucking awesome however as way too much clicking I have to do too much work you know what you need you need one fucking button and that button is pwned you know what man you're right really right yes I am I kind of scripted an automated everything so I've got this little this little page they'll basically detect what the kiosk is finds what's installed and it says okay well you want the dotnet explodes you have jobs i'll give you java and I'll throw your metasploit for good luck so it's even more like one click and a million fucking shells appear I tries absolutely everything my best ideas always come after drinking okay so not enough enough talking right
that this is a hacker conference so we are going to hack some kiosks we're going to be hacking for different kiosks these are the latest versions of these kiosks these kiosks vendors you know that they've patched their stuff to fix their stuff we're going to be hacking chaos logics net stop which is very common in Vegas not that I promote kiosk aking web converge awit is a linux-based open-source kiosk just so I can show you guys that Linux products are not more secure than windows and you can still hack works we're going to hack my cafe cup which is one of the most popular in Europe you guys have a physic European internet cafes and then finally we're going to hack morphix which is another open source Linux kiosk of course we're
going to do this all live unrehearsed there's no videos we're just going to
fucking hack some stuff already
so security cards have always been told
that before you do a live demo you have to sacrifice a virgin on this luckily is very easy at a security conference
alrighty so this is my standard XP desktop environment I'm going to run up the kiosk program all right anyone here
recognize this UI you seen this around
maybe why get my five dollars prints the machine i surf the internet for the web
cool i know i heard about this cool site I can't har CKD da minute oh sorry the site's not allowed so this was the first thing that this vendor did he was like well you know scruple Craig I'm just going to run block I Cathal hide-and-seek 18 on that so well um I said I'll screw you i'm going to set up a dns wild card so basically anything got a che da CKD don that go stuff i
cant simple start simple stuff
okay we are at ikea this this is it so the first thing I really want to see is what wasn't still what's my kiosk platform all right so it's attacked on my applications this uses a bunch of different tracks to basically figure out
what's installed guys told me I've met
stop rocio's I've activex java clr is still installed and i have click one support click once is kind of a kind of a kind of a funny thing most people don't really know what click one says essentially click once is being able to deploy donate application through a dot application file which get picked up by the clr if you have an install save our that if you have the dotnet framework or the clr installed on your computer you can run click once applications I also have one is media player netmeeting yeah it's detected framework one and two msn messenger movie maker okay all right I stuff from the top common dialogues okay so can I get to a file open dialog okay this function not
supported security reasons can I get to
a file print dialog okay i can get to fire printer can i add a printer to
printer okay so i'm saying to like
trying to enumerate all my windows very what i can do is i can add a add a network printer I need to get to a you
know like print to file would be the best way we can see it's been it's been great out that their project disabled is so and actually the the print dialog here we can't get to any common or good common dialogues file save as dialog now
can't do that all right can I am kind of
get any your I handlers to pop up can I use call to okay so i can get net
meetings to spawn okay that's handy
about hcp AE HCP spawns us that makes it
too easy are using command prompt
so really the only thing the Keogh
spender did hills that they blocked I cat on a chase EKG on but no no no no
this isn't shell as we can see this the command prompt has been disabled by our administrator so they're using disabled CMD which is the local group policy to block me so we haven't won yet don't don't get too excited but we getting
close ok can I can i download a tool because you know like I've got my own I
got my own command prompt I download seemed to eat yeah so unfortunately they're not nice enough to give me commercial versions of their software all right ok oh we can't download things
either ok alright so I know how to dock
netinstall let's just try and run my sign click one still can I do this tik tik tik tok launching application the second let's see launching application have one ok we wait this downloads about
ten two and a half mag of binaries tools it basically downloads all of the icap sweet everything inside of it directly into the kiosk then we're going to see
if we can bypass the local group policy so we can get that command prompt up ok
are you sure you want to install this yes installing ok awesome now I have I
can't click once ok i want user shells
ok alright so that's trying to do my
mark Russ novices srp bypass so we might have bypassed srp but local group policy Stockton's ok thurs trying to spawn
local cmd.exe that didn't work this
trying to spawn different version see indeed that didn't work and this one
while that worked ok so now I've shell awesome ok but you know I'm poor Craig I don't want fucking user lands shell I can't do anything in this what I want is system so as simple just quite spawn system sure okay oh let's try that again as we get
during live demos so that was armed using Tabitha's aunty vdm allowed truck to spawn a local show that that actually usually works that's the first time that's please ground if you guys are
interested I can show you this again see
since since I've run it especially now install it so I'm just run this Oh we'll
just try one more time taskmanager
process and we should see ik tht is now running a system ok so imagine we still in the kiosk environment and our system yeah ok now let me show you guys another
truck I found I found recently so I showed you the the command prompt was disabled right we type CMD dot exe we get this you know the command prompts me
to disable by your administrator you guys remember command calm like command
calm we get this all right but we type
dirt and it says this command prompt has been disabled by your administrator so I was actually sitting a client site recently and I was thinking there's got to be if I can way around this because inside command calm I can do stuff like this do c and d I can't do that in CMD dot exe but if i type der doesn't doesn't work ok so what about if i type c colon hype tudor all that works ah so that that's that's actually a little um a little Microsoft O'Day there that's that's a little trick so we can we can use secon for / pipe to notepad and
notepad spawns even when the command prompts has been disabled by my administrator thanks Alice
okay so now we're going to hack a Linux
kiosk it was actually funny when I
released the first version of I count that's gotta press about like our this Kiwi guy found all these ways to hack internet kiosks are then this other guy in New Zealand living in the middle of fuck knows nowhere came out and said well the only reason he can do that is because Windows is really insecure and Linux is way more secure all right man fuck you so I went out to basically hack
all of the links kiosks because I don't
I don't buy that their arm that they're more secure I pause on my pm's all right
now it just starts up again
I didn't sacrifice enough virgins this
wine yeah thanks suspenders yeah so I
want to basically how cool of Linux chaos but I'm truck fact in Linux chaos is completely different you can try to
explain completely different bastardos you're not trying to pop CMD dot exe
it's the first thing I learned as I'm really a windows guy we're trying to pop us I've been X term that's that's the goal right the platform's obviously are not IE based at all we don't have any of the standard windows trucks we have to do everything in a relative of the Linux e-way the kiosks use them Linux are
primarily firefox based okay so we just got to think about five Fox Trax firefox plugins Firefox add-ons so I wrote my own firefox extension which will try and hack linux chaos space on firefox or
windows kiosks based on firefox and yeah
actually a lot of success all right
let's let's go now oh my computer spawns on a chaise
ok so it's detected a nonlinear windows
kiosk one skycap ok so let's first of
all what can I do here can I can i download a file can i download shit can
i download i gots michelle's okay i can
download files ok but if i download the file how do i spawn it well linux users
how do i spawn a fire without a star power i'm in this i'm in this restricted
Gerald environment so my first idea was
I should reconfigure the kiosk I said T we configured the whole thing it's using about colon config all right you got about comic-con thing you get so the
whole config of the kiosk ok maybe I can hijack something and I can hijack something to sort of detour and run you saw the next up is really simple trick so let's say like I'm going to look for the printer will go for the printer I look for lpr ok so we can see the
printer here is lpr Mars printer Neymar's the printer is us our band next
look a bag comment dialogues open for
print dialog yet print that project so
once again though we have shell and we basically none profuse ER I can't do shit with us this isn't this isn't enough me so because we can download
files let's get root okay so either still think we'll get root let's download this save this to dusk then go
back and print the page again pop another shell where would it download to
I just download again this can be faster yes good done it's now we got rid on the kiosk and yeah and it's error but it was actually particularly easy because this kiosk is still shipping with 2 615 so yeah not very up-to-date all right let's
hack another windows kiosk sofas in
better results this time okay so this is
this is this kiosk we got to login to the kiosk again okay all right and now
we assume that it's timer down the bottom looks like oh yeah you've got nine hundred ninety dollars left this is your environment or better yet windows
environment okay we try on pop the show
okay it's been disabled by administrator again okay sweet as so let's round up a
browser we get started IE will get I
can't go to see Kady don't know which
guy cash alright so the truck here is
what are they start or what haven't they stopped so can i download files i download as well i can't download files
so you know i think they're actually
thinking that since they block c md dot exe or disables CMD that you can't pop shell because CMD validates disable CMD but my cmd.exe doesn't validate disable seem to know I've show us the stories
that's that's that's way too easy what I want to try here is that I actually want
to get someone else's account I want money you see the logon thing at the beginning yeah I'm going to go for that so we're going to try and do is I'm gonna try and hack the the UI she'll use
this make visible tool I'm going to look at all the windows that are currently on screen whether they're visible or not and see if I can I'll make them visible fuck with the middle now the reason I
want to do this is because of this thing sitting in the corner this tells me that there's actually a whole lot of interesting process there's a lot of stuff running here that I probably can't see so this shows me all the windows
obviously all the ones that are highlighted are currently visible scroll down scroll down once what's on here okay logon user code password oh sorry
sorry what's this user rates users oh
right okay let's add a user DEFCON 2 so
basically the how the application works is that when you log on to the application use the correct username and password it makes this window visible well that's fine I'll just run my little tool which makes the window visible I don't need to log on to the application yeah I then we basically have here we
have full access to this and try for
good measure can we can we get system
yes thank you it's better
well it works where system task manager
doesn't test misers want to come up there anyway we have system so that's
not the key astana then we got all the usernames and passwords and we can add
ourselves another account that's to
another one this one's a Linux one so
got a bit of a problem with this one to be honest with you I hacked all the earlier versions of web convergent and I quite enjoyed hacking web converter I then I read their website one day and in one of the support kb's those this guy who posted like I found all these security issues with web converter and he basically listed all of my tricks everything that I've been doing and asked the developers very kindly if they could fix it all so they went out and they fixed absolutely everything it's like man fuck you so I download the new version i sat down sat down with a coffee i was like i'm gonna i'm going to get this i'm going to totally turn together so okay what what can I do
Howard hacked us originally was that I
was using my I camp firefox extension
are basically say install extension the
software installation has been disabled by your systems administrator okay or i would just download files and so our download like this doesn't fucking work anymore I can't download shit alright okay can I um can i disable this this
thing yeah I'll be careful I promise can i disable his XP install XP install enabled boolean false status locked so basically they have a file set which says you can't modify this and you can't install software awesome okay so i can't really I can't do anything with this I
say what do i do what do i do so i think what are the chrome resources do I have
that I can actually mess with so these were the internal zoals for Chrome so you access like this page chrome Global Content config is about conflict we can access the plug-in install wizard we can access tools options I don't
I much until I got to this safe mode okay I ideally want to get rid of web converging I have to disable this crap because I can't download any files so i'm going to say from okay disabled
add-ons to say we set toolbars yeah we said disable its able to sail make changes we start okay I now it's
disabled rope converter so now one hour
to download files to begin with and
there's no more web conversion so this is a good start but I don't have show I don't show and without shall I me really what fuck do I got it's okay um I need to pop x time alright so i went about like I can I can I pop Baxter so us are
banned ex TR they deleted extern like oh dude how else do i do this break my balls man okay all right now i can
download files i'll just download extern
safe download next to me okay then I
need to download a loader because of course files I download will be marked
non-executable so I've got to download loader as well so dynamics to load okay
cause we'se okay now I need to find a
way of getting home web see X term loaded or message to run okay so i go
back to about config know because I've disabled web converge I have my right-click context menu and one of the
best things my right click context menu is view page source so I'm going to hijack the page source viewer yeah I'll
be careful all right so okay so my editor is X don't true so they didn't lock any of these settings and my editors path is home web see x loaded on sh ok let's go back see that works pixels now that didn't work ok
let's of course I can't just run the SH
I've got to have a so my view source editor is Ben SH which is going to run home web cx2 load about Sh that's fucking likes fuck
so there you go as you can see it's
pretty goddamn easy to hack kiosks and I
hacked four of them right in front of you okay so collaborations and donations I cat is obviously a very open source project it's free to you guys but sadly it's not free to me my cosin tificate won't even oohing my hosting is not free my domain names are not free I openly ask for donations little people donate link please don't be cheap if you like Hank oh I can't you ever popped a shower they can't give me five bucks thanks okay so there's some other goodies i mentioned that i've been working on photo kiosk i came with a single day cap photo which is basically you can stick it on a little memory stick or all flash cards taken into a photo kiosk and it exploits autorun got em all the L&K vulnerabilities I has all the tools on USB so basically you put it on you try and browse the device and it'll either crash and give you the desktop or give you a shell or the on-screen keyboard so it's pretty handy pretty honey to keep on you i also have I cap portable so you can download the entire thing of ikat if you want your own version of a count if you're doing a pen test internally and you want to have your own server running you can download it no one big archive it's all there okay I've been working on something quite interesting at the moment I've been working on a 10 c plus plus i kept dongle the USB dongle this is sort of i was inspired by the ps3 USB malik exploit which basically the same piece of hard work the idea is that can i attack a kiosk using the USB plug alright can i attack it using the one thing I've ever tried so the trick with USB dongle is that I can simulate any other USB device okay so the first thing that comes to mind is that are you can simulate a keyboard yep so i can send the keystrokes to pop up notepad type out the contents of an exploit say if the exploit or then run the exploit i can do this from my you'll USB dongle but that's that's not actually that cool the thing I've been looking for is a way to get free internet access I don't want IT I'm sick of paying five dollars to pop a shell on a kiosk so I can simulate any USB device keep in mind any USB device okay meet the micro coin cue our coin and note validator this is based on the t 0 for us cereal ships are basically this is a USB device you put money into it and it sounds a USB signal cereal basically says dude inserted 10 the icap dongle yep you guessed it goes through cycles and simulates all of these things it tries like I'm on this one now this one now this one so the idea is that if you have a USB interface exposed you can plug it in and hopefully it'll say user just inserted a million dollars and then you have all the Internet's you ever wanted so hopefully I'm going to be releasing this towards the end of the year my problem is that I need to collect all of these coin and make validators which actually quite tricky to find and the vendors are not so keen on sending them to me I am that's it I mean in conclusion I am totally fucking addicted to hacking kiosks this something that really yeah really consumes me if you're interested in either donating to the icap project or you have my dear a concept you think you know something that's cool about hacking kiosks come up afterwards chat to me tell me your stuff give me your staff yeah otherwise you can buy me a beer and give you around here I thank you very much you