iKAT- The Interactive Kiosk Attack Tool v2, v2 is now released and contains support for Linux and OSX based Kiosks, along with FireFox extenstion support!!iKAT is the worlds foremost Kiosk security tool, representing a 100% market share (or so our technical analysts have told us). Enjoy iKAT, and be sure to use the Feedback page if you have any idea's or comments.
The Moth trojan is a POC trojan which implements WMI event consumers as a unique method of malicious code deployment, within Managed Object Fomat code. The trojan itself is a party trick, and uses the Microsoft Text To Speech API to verbally abuse you as you try and find it.
The Moth was offically released at Kiwicon 08
The trojan is based around WMI event consumers and WMI event filters. Event consumers are created to 'consume' the event of executing a series of local applications such as notepad.exe, avgui.exe and taskmgr.exe.
Event consumers could be constructed for any number of Windows events, such as CPU fan failure, reported hard drive errors or a user logging in.
The Moth is written as a series of persistant ActiveScript event consumers which contain embedded VBScript code.
When the event is raised by WMI, the consumer is activated and the VBScript executes. On Windows XP WMI consumers are executed as SYSTEM and they are executed as NETWORK_SERVICE under Vista.
By using the FSO (File System Object) it is possible to embed additional executables within the consumers VBScript, and use the event consumer to recreate files on disk and execute them. Oh the joys of VBScript!
Typical forensic methodology only focuses on 'looking down', such as looking for Trojans/Rootkits which hook/manipulate system calls. The Moth is an application level Trojan, in the sense that you must 'look up'. I found this approach to be unique and relativly creative, you would be shocked how many people do know about Windows and WMI and are unable to find the Moth.
The Moth is 100% open source, and available for download.
Inside the .zip file you will find the installer for MS Text To Speech library (Which powers the verbal abuse engine)
and the .MOF file itself. To install the .MOF you simply type mofcomp xxxx.mof
Installing a WMI event consumer does REQUIRE administrative authority!
iKAT- The Interactive Kiosk Attack Tool, is a website designed to aid security consultants with the task of auditing the security of internet Kiosk software and deployed Kiosk terminals.Simply find a Kiosk terminal, surf to iKAT, pop shell, its that easy!
iKAT provides multiple methods of accessing the underlying operating system of a Kiosk terminal through invoking native OS functionality.
The tool implements a vast assortment of browser technologies, including: Java, ActiveX, ClickOnce, JavaScript and Flash. iKAT contains documented and undocumented browser functionality, and just a few 0day techniques.
iKAT is very sucessful at gaining access into a Kiosk Terminal and (in most cases) can pop a shell in less than 30 secconds.
Since the offical release of iKAT at Defcon 16, there has been a vast increase in the usage of iKAT around the globe, by both the whitehat and blackhat community.