 |
|
|
|
|
|
|
|
|
|
|
|
|
|
 |
 |
|
|||||||||||
 |
 |
 |
 |
|
|||||||||
 |
 |
|
|||||||||||
|
 |
 |
|
 |
|
||||||||
 |
 |
 |
|
 |
|
||||||||
|
|
||||||||||||
|
|
|
|
|
|
||||||||
|
|
||||||||||||
|
|
|
|
|
|
||||||||
|
|
||||||||||||
|
|
|
|
|
|
||||||||
|
|
||||||||||||
|
|
|
|
|
|
||||||||
|
|
||||||||||||
|
|
|
|
|
|
||||||||
|
|
||||||||||||
 |
|
||||||||||||
 |
 |
 |
|
 |
|
||||||||
Case Study E-Banking Kiosk Penetration Test Industry: Banking The engagement described here was performed as a part of a wider project conducted for a bank. The focus is a hardened E-Banking kiosk which is deployed in semi-supervised environments outside bank branches. These kiosks provide normal Internet banking facilities via access to the banks own Internet E-Banking web application. The kiosks themselves are connected to a network which is in turn connected to the banks' corporate LAN. As the kiosk machines are connected to the banks corporate LAN the challenge is to subvert the kiosk into providing access to this network. The kiosk is built around a standard Microsoft Windows PC which is not physically visible or accessible. The kiosk is hardened using proprietary kiosk software and the PC is running Microsoft Internet Explorer in full screen mode as the browser. All Microsoft keyboard shortcuts are disabled. The proprietary kiosk software is found and investigated for security issues to no end. The E-banking software is found to have a print function which can be misused (when pressed repeatedly and quickly) to present a regular Microsoft 'Print' dialog box. After being presented with a 'Print' dialog box it was possible to arrive at a regular 'File' dialog box by using the 'Save to file' option when printing. From this point Explorer was started and the task bar was invoked. Now it was possible to use normal Windows tools in order to enumerate the internal corporate LAN of the bank. Using the programs installed by default in Windows it was possible to enumerate desktop PCs and users in the bank domain. There is a risk or image damage because of the relative ease by which it was possible to use a banking kiosk to gain access, though limited to the banks internal network. Customer confidence can be damaged by such news appearing in the media. Given time to explore the internal network it is possible that internal bank data could have been removed or at the least viewed using the kiosk. |
