 Hello. Hello, everybody. How many of you speak Spanish? Okay, perfect. Well, we got here a trophy because today, this morning, we had a tournament of soccer and our team won the trophy, the Spanish team, the FOGA team, I'm sorry for the Argentina and South Africa, the rest of the team. We won the trophy next year maybe. Well, thank you for coming to this session. First of all, let me introduce to us, my friend is Juan Arrido and I'm Chema Alonso. We are working in a small company in Spain called Informatica 64. Before starting with the topic, we would like to introduce our country. We are from Spain. Probably, it's a small country. This is a small country in the middle of everything. We are in the middle of Europe and Africa and South America because of our history. And if you never went to Spain, you have to go there. I'm from Madrid, which is a very nice city. It was the capital of the big empire five centuries ago. But it's a very nice city. And if you go to Madrid, you will never be a foreigner because if you go to Madrid, you are from Madrid. So come to our city. And Juanito is from another city. It was the capital of the Arabic empire in the 7th century when Spain was an Arabic country, a lot of centuries ago. And from that tower is the Gold Tower. The first tower on the left is where the Gold from America came to Europe. That's the Gold Tower. It's on Sevilla. And Sevilla is very famous because of the parties, because of the flamenco and so on. And especially, there are big monuments. This is one of the most famous monuments in Sevilla. It's the Plaza de España. Probably all of you know this monument. And you have to visit it because it's a monument in which you will fall in love. Because if Anakin Skywalker could fall in love in Sevilla, you can do it also. So don't forget to visit our country. Juanito is from a very small area of Sevilla, which is Triana. Triana is an independent republic in Sevilla. And it's very famous for the holy week because they are very religious. And there are thousands of people carrying the images. And of course, after that, having drinks. Well, we work in Informatica 64 and probably some of you have been listening about FOCA, which is one of the tools that we develop. And it's a free tool that you can use for track information, pentesting and so on. Tomorrow we are going to deliver our shop of eight towers with a new version, which is the version three. So if any of you want to attend, I'm not sure if you can book for a seat, but you can ask for it. What is the topic that we are going to talk today? Well, we are going to talk about something which is very, very, very common, which is the remote application using Citrix and terminal services. There are a lot of work done previously about this topic, about Citrix application and Windows terminal services. But we still believe that it is important because nobody is taking care about it. And, well, nobody. A lot of people have unsecured environment. And we are going to see how easy a hacker can get into a company just using this kind of environment. So first of all, it's very easy to discover the entry point of a company just searching for remote application or remote connection on Google. Just searching for RDP files, you can discover almost 2,000 places, almost 2,000 servers, publishing applications. Of course, you can discover also government sites. Government with remote application that you can just click on it and test it. We'll see what happens. Well, you can do the same, more or less the same in Bing. In Bing, you cannot use the extension modifier, but you can use the file type. This is a TXT file and searching for any of the modifiers which appears in all the files, you can discover thousands of remote applications. So some of the places that we discover with this remote application are from the government. This is one of the sizes. The patrol order management system is a dot mill domain here in the states. But we were going to do a demo with this server, but we were talking to Jeff and Jeff found someone and today is fixed. I don't know why. But we are going to do the demo with California transportation, the Department of Transportation, which is another site. Well, just reading the websites, you can discover the remote application. There is a Nica file and you can download the file and just click on it. I'll see what happens. I promised five minutes ago it was working. Five minutes ago it was working. Maybe much was done. Well, no problem. We are going to do the next demo. Don't worry. Well, I secure this environment. Well, as we are going to see, there are a lot of things to worry about and it's very complicated to secure all the environment. Well, this picture with the demo doesn't make sense, but after. Sorry. Sorry. Are you sure? No. I don't learn it five minutes ago. Okay, let's don't learn it again. But we don't learn it five minutes ago. California transportation, routing database, here it is, call trans, no, no. They fix it. Five minutes ago it was working, believe me. Well, don't worry. Well, one of the biggest problems with these files, these configuration files is the verbosity. Just reading the files, which are TXT files, you can discover a lot of crap information like internal IP address, users, encrypted password. You can use that password, you can extract the password from the encrypted password, but you can get access to the system using an anonymous account or a user account in the system. So these files are perfect for apt-eds, just for the people who is collecting information or for some special attacks like the Evil Great attack. Just searching on the Internet for this kind of files, just searching for an ICA file, you can search for, what's it? X, ICA, and just searching for documents with R and T. You can discover files with the password for Oracle just in the text. So you can do any special. There are a lot of information in that file. So due to this, we decide to add these kind of files to FOCA, which is our tool for information gathering and for fingerprinting information about websites and companies. And right now, if you download tomorrow, the FOCA 3 version, you will see that in the new version, FOCA is searching for this kind of file and extracting information and so on. The second big problem is that it's a TXT file, so whoever has the file can modify the information and can try to get access to another part of the operating system. So just modify the configuration file and generating error messages on the server. You can discover something like all the application in the operating system. You only need to create a logic with the error messages and terminal services and citric services and citric server has different error messages when you cannot get access to the file than when you cannot, the file is not on the server. So just trying to ask for application, you can extract the whole list of application installed in a computer. To do this in terminal services is quite simple because there is a modifier which is alternative shell. This option was created for versions of the RDP protocol previous to version six, but it is still in the RDP files of terminal servers 2008. It doesn't work, but the option it is there. So you can ask for an application and the terminal server will say, okay, you cannot access this program because the alternative shell is forbidden, but you will receive different error messages. So if you receive access to the negata, which is in Spanish because Spanish is better, you know that the file is in the operating system, but if you receive, you cannot get, you cannot access to this file, you know that this file is not on the server. So the good thing is that you can do the same in Citrix and there is any protection against one connection and another connection and another connection that you don't have even to type a captcha. So you can optimize this procedure with a tool. We created caca, which is computer assisted Citrix apps. And it's just a tool to do it this. So you only need to open caca, select one ICA file, a list of application, index example, node path, record it, command, no exits and caca and the number of threads that you want to use in parallel and caca will do this for you. So you can go to have a coffee. Caca is working, caca is working. Well, caca is trying to open the application and the only thing that caca is doing is having a snapshot. So then when caca finish, you only have to review the error messages. So if, of this way, you know if the application exits or not, you can use a very big list of application and leave caca running on a computer for one day and the end of the day, you'll get your list of application in caca. Quite simple. The other thing with terminal application is what we call playing the piano. In the terminal services, environments and Citrix environments, there are too many links, too many environment variables, too many shortcuts, too many options that allows to a hacker to get an special part of the system that the system administrator didn't think at the beginning. One of our favourites, Windows Server 2008, because Windows Server 2008 wants to help you everything. So if you ask for an application which is not in the operating system, Windows 2008 shows you an error message with a help button. Would you like help? Why not? So just clicking on help, the help application appears and in this application you got a lot of links to open Internet Explorer or to open the open file panel and run comments and so on. Playing the piano was a very, very nice thing to do with a lot of shortcuts to access different part of the operating system but right now we got more and more shortcuts, sticky case, which is a funny thing, just clicking on shift key three or four times, the operating system will show you the sticky case menu which is within the control panel so even if you don't have access to the control panel with the sticky keys, you will be able to configure all the control panel of the operating system, just clicking on shift and so on. Is it to do this? Well, let's do a demo with the demo with Citrix. Well, this is the website of Citrix but this is the website for demo server so it's a demo, it's legal. We got a user here which is Tonto del Culo, Spanish name. The rest of the username was taken. No. No, no, no. No, no, no. It is working. Well, this is the environment. As you can see in this environment we got a lot of applications, we are going to use Excel because this talk is about Excel so let's go to the application and run Excel. Excel is working. Well, Excel is working. Well, right now the system is downloading the client components so open Excel, launch. You have to open launch. No? Maybe. No, no, no. Execute. Okay, launch. Well, something with Internet Explorer but we are going to launch the Excel. Excel is working, believe me. I start in Microsoft Excel, Internet is slow. Now, man, I'm just connected to the web. Where is Excel? Oh, my God. Okay. It is working at least in the end. Well, now connect to the remote Excel. Come on. Please, if someone is doing a money in the middle attack in this network, please don't do it. Moxie. What happened with the Internet? In English. Slowly. Hey, just open Excel. We didn't do anything. Okay. Yeah, open. Well, this is the Citrix environment. It is supposed to be secured by the guys of Citrix so let's try to, I don't know, use the environment valuable to connect to the system route. It's forbidden to the user profile. It's forbidden and so on. But you can do a lot of tricks. One of the tricks that we do was just to create a shortcut to the command, finish, all, so all files, and then run, open. Oh, they fixed it. No, power cell. Too many consoles. Too many consoles. Power cell. Let's change. Now we are going to use another console. Same trick, another console. Open. It is working. Well, go to the, and you'll get that access to all of them. It's very complicated because every day the operating system is getting more and more complex and the application that we are publishing through N are more and more complex. Please stop, stop, stop, stop, stop. Don't trust in people from Sevilla, believe me. Well, the question is that the operating system is more and more complex and the application are getting more and more complex so every application that you are publishing through terminal services is a path to your operating system or through terminal services. One of our favorites is the complex application and of course Excel is one of the most complex applications that companies are publishing through remote application services. So the good thing is that Excel is a very powerful tool and bosses love Excel because you can do a lot of funny graphics and analyze a lot of data, connect Excel to databases, perform data mining and a lot of things which are very good for the business. And the good is that to do all that funny things, you need visual basis for applications. If you remove visual basis for application from your Excel, your Excel becomes another kind of application but Excel no more. So the idea is that with Excel you can do a lot of things. Let's do the first demo just in this, in local. We got a Windows 2008 with Hyper-V, no with terminal services, sorry. In this environment we published Excel 2007, Excel 2007, we didn't use Excel 2010 because the security policies for Microsoft are more or less the same. The main difference in security in office 2010 and office 2007 is about the sandbox, about the security option when you download a file from an unsecured location from the internet and so on. But once you have the file in your machine and your computer, the security policies for Microsoft are the same. So in this environment we are going to execute just an Excel with Microsoft. In a normal environment, in a normal environment when Excel is going to be executed in your local machine, the security option by default is that the user selects if wants to execute the macro or not because the user is running the macro on his machine. But in a terminal service environment, a remote application environment, the security option by default, which is case by case, the user decides it's a bad option because the user is running the Visual Basic for Application, not in their machine, but in the server machine, which is completely different. In this environment we are going to execute just a file with Visual Basic for Applications. It is working. Well, in the next example we created a panel and this is by default option. The user decides, okay, enable this content or not, okay, enable. It's not my machine. So now you can, if the boss came, you can show the graph. It's a good trick. Then open the panel. So just, you can do a lot of things with Visual Basic for Application. For instance, see the process and so on. As you can see, close. Through the Windows Management Instrumentation, you can, through commands, retrieve the results and show it so then on the Excel file. Okay, let's close it. So we go back to the presentation. Well, after seeing this demo, it's clear that you have to take care about the security of Excel in remote environment. One of the first things that system administrators tend to do is to block some special consoles, like Command-Con, like PowerShell, WMI and so on. But there are too many consoles and in Windows Server 2008, the backup directories copy all those consoles, which it creates the double problem, because you have the double of consoles. But in this environment, we are going to have all the consoles forbidden. We got using ACLs and using server station policies. We are going to forbid all the consoles that you are going to see, but we can use consoles even from other operating systems. This is a trick that was published by the DRS7s, and the idea is that you can inject a DLL into your Excel file, and that DLL is a common interpreter. So just invoking the common interpreter from your DLL, you are going to have access to the server. So let's do a demo with this. So if we go to the Windows Server 2008 and try to execute Command-Con, it is forbidden, and then it is forbidden. But in the Excel file that we are going to open, we got a DLL of ReactOS and also a DLL for the registry editor of ReactOS. So just open the file and open the command line. Now the Excel file is extracting the DLL to execute it, and we are going to obtain the ReactOS common interpreter. Actually working, I hope. Well, here it is. As you can see, we got the ReactOS common interpreter, and it's like the common interpreter of Windows 2008, more or less the same. So this is a good trick. So go back to the slides. And of course, in the tax manager, you cannot see the CMD because it's a DLL which had been load by the Excel file. So it's not in the tax manager. The user is only working with Excel, which is good for the company. So go back to the slides. So of course, after seeing this demo, you could think, okay, we are going to disable all the macros for my machine. If you use the first policy, which is disable Visual Basic for application, it's for all Office applications, not only for Excel. It's for Word, PowerPoint, Access, and so on. And for Excel, you got four options. The first one is execute all macros, which is unsecure. The second option is case by case. The user decides, of course, if the user is the attacker, it's an unsecure option. The third one is no macros at all. So in this demo, we are going to select the no macros at all in Excel file published through a remote environment. So we go to the Windows 2008 and select, we are going to log off the idle connection of the user. Okay. And now, we go to the policies and we are going to enable the policy and select no macros, no warnings for all macros. The third one, no warnings for all macros, but disable all macros. Okay, no warnings and macros off. So select that option. Okay. Apply the policy. Okay. Active directory is working. Go back to the client and open the file. And this is one of my favorite tricks. So when you open the document, when the document is opened, you will see how it's impossible to execute anything because everything is forbidden. Try to do anything? No, it's forbidden. You cannot do anything. But there is something special with Excel. There are trusted locations. A trusted location is a path in which security policies are not applied. So you only need to save the document in a trusted location. And of course, the trusted locations are in the user profile. So let's save the document. We are going to use a trusted location. You can have trusted location in the client machine or in the server machines. It doesn't matter. If the document is open from a trusted location, all the security policies will disappear. So we are going to save in one of the most famous trusted locations, which is the default book. When you open a new file, there is an template. So we are going to copy here, save, close this document, and then close, and then open the document from the outtrusted location. Here it is. Well, no macros at all. It's not macros at all. Well, after seeing this demo, there is a solution. No trusted location at all. Well, after seeing this demo, maybe the system administrator can trust in digitally signed macros. Only macros that have been digitally signed for a trusted certification authority. So let's do a demo with this. In the next example, we are going to select the four options. Remember, fair option, all macros. Second option, case by case. Third option, no macros. And fourth option is only digitally signed macros. So let's logo the third option, no macros. And then go, go, go, go, go. Digitally signed macros. Okay. Okay. Go, go, go. Apply. Okay. After directly working. We can play my sweeper. Meanwhile. Well, we got digitally signed Excel file, but it's a self-signed Excel file. And we are going to obtain this message. Well, we obtained a warning because it's self-signed. It's not from a trusted authority. You got help protecting me from a no content. But there is a link. A link for show signature details. So just click on the link. Here is the digital certificate. So if we go to view certificate and the certification path, we can discover the root of the certification authority. And we can view the certificate of it. So. View the certificate. Ah, we can install the certificate because it's a user level. Perfect. Install the certificate. Next. It's a user level. So no problem at all. And now the message will change to enable this content. And the last one is the funny one. All documents for. This is very important because with this option you can start the third world war. Because if you index a sample, we created a SIA that we install right now. And if you install this SIA, every document signed by this SIA will be okay. And in the digital certificate, there is a link for the CRL. And the CRL is a link that could be an HTTP link, an LDAP link, and an HTTP link could be a SQL injection attack. So if you install a SIA and send an Excel file with a digital signed macro for to someone relevant in the company and he opened or he or she opened the document, automatically the crypto app will try to connect to the CRL. So if you discover, for instance, a SQL injection vulnerability in, I don't know, in the core of China, for instance. And you can install one of these road SIA in one of the DHA's machines. And you send a file to a user which is working in that machine. You can discover who user are working in what machine using FOCA. You can start the third world war. Well, just kidding, but we are going to do the demo in log. So index example, that trusted authority has now the CRL. So we are going to open a net cat and we are going to send the document to a user. In this environment is the same user, but the problem is that in remote application environments, there are a pool of users that are shared for the rest of the user. So we are listening and let's see if the query, okay, here. Okay, as you can see, there is a message. Notice PHP ID file, equal file sat down, minus, minus, hello Aurora, whatever. So in the end, as you can see, it's very complex, it's very difficult to harden an environment with remote application. So if you got a terminal services environment, publishing a lot of application or a citizen environment, the first thing that you have to do is reevaluate the security of the whole environment, reevaluate the security of all documents. Of course, you have to trust it in nobody, not in nobody, even in nobody, because in some operating system nobody could be dangerous. And be sure about the application that you are publishing. One of the funny things that we discover is that in terminal services with the TSA, terminal services web access, a lot of administrators are using this option, which is hide in terminal server web access. That means that if you have a remote application published on your terminal services, this application won't appear in the HTTP panel, but the application is still published. So if you know the name of the application, you can connect to that application. And that's all. Thanks for standing here.