Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

iKAT 2013 Release - Interactive Kiosk Attack Tool
From: Paul Craig <paul () ha cked net>
Date: Mon, 18 Mar 2013 21:12:34 +0800

     iKAT - Interactive Kiosk Attack Tool v2013
        Paul Craig - Paul () ha cked net

-------------------------------------------------------------

It is with my greatest of pleasure that i would like to announce the
availability of iKAT v2013!
iKAT (The Interactive Kiosk Attack Tool) has become the worlds
de-facto standard security tool when conducting
penetration testing of controlled browser environments, such as :
Citrix Sessions, WebTVs, In-Flight Entertainment Systems and Internet
Kiosk platforms.
iKAT has grown from a simple SaaS website in 2006, to a complete
client/server infrastructure used world-wide.
v2013 includes new features and advancements, and the release of iKAT
Desktop - formally known as iKAT Standalone.


iKAT is a website you can visit at http://*.ha.cked.net (commonly
accessed at http://ikat.ha.cked.net)
The website will try to use a variety of browser technologies to gain
access to the browser environment you are surfing from.
In essence - iKAT will allow you to hack yourself, giving you an
assortment of unrestricted command shells from wherever you are.
Much to my delight, this technology has become globally accepted - its
use is taught in SANS security training courses, and used by
penetration testers world-wide.

I am also proud to say that since the release of iKAT in 2006, iKAT
has had a dramatic impact on the security stance of many Kiosk
software vendors. We made a difference!


New Additions:
----------------------------------------
iKAT 2013 is generally a refinement of the iKAT software, with a
smoother exploitation path - more exploits, and better compatibility.

New Features:
            The iKAT Girl is back!!
            New Download Methods for each of the iKAT Tools
            Smoother / Faster exploitation
            Many resolved bugs and issues
            Refined and updated tools

iKAT Desktop:
----------------------------------------
Two years ago i suspended the development of iKAT Standalone (A
downloadable version of the iKAT server), due to the architectural
change of iKAT from a simple package of HTML/JS files.

I received over 250 emails from iKAT users asking when i would be
making it available again, my users screamed that they needed to have
their own instance of iKAT available internally.

Your calls for help did not go unheard, and thank you for showing your support.

Thanks to a sponsorship agreement from Offensive Security (you guys
seriously rock), iKAT Desktop is now available for download and
supports Windows, Linux x86/x64 and Linux ARM. It is also now a part
of Kali Linux (http://www.kali.org/)

iKAT Desktop is easy to use and only requires an installation of
Metasploit. Once installed, iKAT will start its own web server and a
back-end Metasploit server instance.
It should be noted that the Desktop version of iKAT has several
restrictions, but is otherwise fully functional and will give you the
same experience as the online version of iKAT.


iKAT PwnMap:
----------------------------------------

At the start of 2013 i began recording where in the world iKAT was
successfully getting shell, the level of access gained and the OS in
use on the remote host.
This information has proven interesting, as it demonstrates where iKAT
is being used globally and the success rate of the technologies
employed.
At the time of writing this email, iKAT has spawned 151 shells on
unique remote hosts around the world, with 72 of those being SYSTEM
accounts.
From Vietnam to Beijing, Israel to Azerbaijan, Algeria to Chelyabinsk
- iKAT seems to have a very wide user base, and is being used
primarily against Windows XP and Windows 7 hosts.
By far the most use of iKAT comes from West Europe, with the West
Coast USA close behind. East Coast USA - you guys are lagging..

The iKAT PWNMap is available at http://ikat.ha.cked.net/pwnmap
I would like to note that only the remote IP address, account gained
and OS are logged by iKAT.
The plotted locations only represent the ISP of the IP address, no
further detailed information has been recorded.


iKAT Pro / iKAT Live:
----------------------------------------
iKAT Desktop and the iKAT Website now feature the infamous 'iKAT Girl'
- a half-naked girl who acts as a hacking deterrent.
I have often been asked why i use a provocative image on iKAT - and if
i can remove her.
The WHY is simple. iKAT makes hacking public access terminals too
easy, and there is no way i can stop the tool from being used
maliciously.

To combat this, if you want to hack in a public place - you need to
have a half-naked girl on screen.
This simple deterrent has worked, and many hackers have told me that
they love iKAT - but will not use it in public for fear of being seen
as surfing porn.

However, i also understand that iKAT needs to be used in corporate
environments such as banks, or on a client site where a NSWF image is
unacceptable.
With this in mind i have developed two additional products that will
soon be available. iKAT Professional and iKAT Live.
iKAT Professional is a discreet version of iKAT Desktop, featuring
more technological advancements, more exploits, more browser add-on's
and a completely discreet professional look.
If you want to be using iKAT on a client site, you need iKAT Professional.

iKAT Live is a subscription based model to an online version of iKAT
Professional, for those who do not need their own iKAT Professional
instance locally - but still require the technological advancements,
and the discreet design.

Currently both products are in pre-release, and you can register your
interest at http://ikat.ha.cked.net/store to receive a discount when
they become available.


Thanks to those who made this possible:
----------------------------------------
iKAT is a labor of love, and would only be possible by the support of
the security community and those around me.
I would like to say a huge thanks to Offensive Security for the belief
in iKAT, and the support and assistance to create iKAT Desktop.

and to

Adam Sebolka
Jonathan Cran
Paul Klinger
Grange Yannick
Thaddeus Bogner

Each of you donated money towards the iKAT Project in the last 12 months.
Thank you so much, every cent went towards fighting the good fight.


Paul Craig - paul () ha cked net
"The King of Kiosk Hacking"

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • iKAT 2013 Release - Interactive Kiosk Attack Tool Paul Craig (Mar 18)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault