Orb 2
Retro Futuristic Elements

Unit4sec

KIOSK SECURITY AND PENTESTING

Table of Contents

01

02

03

04

05

06

07

What is Kiosk?

Kiosk: Information Security Process Audits

Kiosk: Physical Security Audits

Kiosk: Network Security Audits

Kiosk: Operating System Security Audits

Kiosk: Application Security Audits

Escape Kiosk Mode to Operating System Level

Finding solution
Orb 2
Retro Futuristic Elements

Unit4sec

Kiosk?

First of all, what is this Kiosk?

Kiosk devices host computer terminals designed for user-specific information access, utilizing dedicated point-of-information software, while preventing end users from accessing "system functions.

Some kiosk devices offer a free, informative public service, while others serve a commercial purpose (e.g., shopping mall kiosks, check-in kiosks, ATMs). Touchscreens, trackballs, computer keyboards, and buttons are typical input devices for interactive kiosk devices.

Touchscreen kiosks are utilized as industrial devices in commercial applications, reducing queues, eliminating paper, and enhancing efficiency and service. Their uses are limitless, ranging from refrigerators to airports, health clubs to movie theaters, banking transactions to libraries.

Abstract Geometric Shape

Kiosk Devices

In our daily lives, we frequently encounter and use these devices, known as "kiosk" devices, when performing tasks such as airport check-in, querying the stores on different floors in shopping malls, and even using ATM machines for banking transactions.

Kiosk Audits

When it comes to the security hardening audits of these kiosk devices, and what should be inspected and which exploitation steps should be tested, in fact, penetration testing for kiosk devices is not significantly different from a standard PC audit. In general, in addition to the standard PC audit procedures, a few additional checks and assessments need to be conducted.

What is the objective of Kiosk Security and Pentesting?

The objective of penetration testing on kiosk devices is to assess the information security processes of kiosk devices, determine whether an anonymous user can gain physical access to kiosk devices, identify what data can be obtained once access is granted, ascertain the vulnerabilities present in the kiosk system, and determine the potential impact of malicious attackers utilizing these vulnerabilities.

Squarespace
Squarespace

Kiosk Security and Pentesting Main Topics

When listing the steps that need to be checked during kiosk penetration testing, the main topics are as follows:

Audit of information security processes for kiosk devices.

01

Audit of physical security for kiosk devices.

02

Audit of "security" and "log" policies at the operating system level of kiosk devices.

03

Conducting network tests on the local area network (LAN) where kiosk devices are located.

04

Identifying security vulnerabilities in the applications and services running on kiosk devices.

05

Orb 2
Retro Futuristic Elements

Unit4sec

Kiosk Security: Information Security Process Audits

Organizations housing kiosk systems in their infrastructure are recommended to establish information security process management and procedures for kiosk security audits, ensuring the sustainability of these security processes.

01: With the assistance of QR codes available to technical personnel, certain kiosk devices can be transitioned into an operating system mode. In organizations where this process is applied, the following audit items can be established.

  • The relevant QR codes need to be changed at specified periods.


  • In the event of personnel responsible for the kiosk systems leaving their positions, it is mandatory to change the QR code.

02: Audit of "local admin" password management processes in kiosk devices is necessary.

  • The "local admin" passwords on all kiosk devices must be created to be unique and strong.

03: In some kiosk devices, it is necessary to occasionally open the panels of the kiosk device due to the need for "paper replacement." Therefore, multiple personnel may have access to the keys that allow the opening of the kiosk panel.

  • A list of personnel in possession of the key should be created, and in the event that a person listed in this roster leaves their position, the key must be physically collected.


  • To ensure that teams can be informed when kiosk panels are opened, alarm sensors should be installed on the relevant panels, and checks should be carried out to verify the proper functioning of these alarms.
Orb 2
Retro Futuristic Elements

Unit4sec

Kiosk Security: Physical Security Audits

01: Are the rear or front panels of the kiosk devices open? The panels of each kiosk device present in the test environment should be inspected.

  • The panels of kiosk devices should be securely protected with a locking mechanism. If the panels are open or inadequately secured, physical access to the kiosk device can lead to a reboot of the device, allowing direct access to the operating system.


  • Kiosk devices often have USB ports on their panels, allowing the connection of a wireless keyboard and mouse. With certain shortcut commands, kiosk devices can be transitioned into service mode, providing access to the operating system.


  • By connecting the kiosk's Ethernet cable to a computer, it can be checked if a connection to the kiosk network is established. If access to the kiosk's local network is achieved, it can be determined whether access to other kiosk devices is possible.

02: Are physical alarms in use? Are there sensors on the front and rear panel locks of the kiosk? Do these panels generate instant alarms when opened or left open?

  • To prevent the oversight of open kiosk panels and to trigger alarms in the event of a malicious employee or attacker forcibly opening the kiosk panels, it is necessary to ensure that alarms are activated.

03: Are there USB ports on the kiosk device or inside the panels? Are the USB ports functional?

  • USB ports should be checked for functionality by connecting a keyboard and mouse.


  • If the USB ports are active, it should be determined whether bidirectional file transfers can be performed with the connected USB device (from Kiosk to USB or from USB to Kiosk).
Orb 2
Retro Futuristic Elements

Unit4sec

Kiosk Security: Network Security Audits

01: Is Network Access Control (NAC) in use?

  • To verify if the kiosk device is connected to the local network, the Ethernet cable of the kiosk should be unplugged and connected to a computer. If an IP address cannot be obtained directly via DHCP, an attempt should be made to manually assign an IP address after connecting the Ethernet cable.

02: Are there unauthorized access controls between VLANs?

  • After establishing a connection to the kiosk's local network, it should be verified whether access can be gained to different IP subnets. After obtaining an IP address in the kiosk's local network, it is necessary to check for access to Server or DMZ subnets.


  • Access to different kiosk devices should be checked to determine if access can be gained to SMB shares or other resources on different kiosk devices.

03: If Network Access Control (NAC) is in place, is it possible to bypass it?

  • An attempt can be made to regain network access by randomly assigning a MAC address to the computer.


  • If the MAC address of the kiosk device can be determined, an attempt can be made to establish a local network connection by changing the kiosk device's MAC address to match the computer's MAC address.


  • If the MAC address of a different device known to be connected to the kiosk network is identified, an attempt can be made to establish a local network connection after changing the respective MAC address to match the computer's MAC address.

04: If a connection can be established to the kiosk network, can NTLM hash information be obtained using LLMNR Poisoning?

  • After connecting to the kiosk's local network, a check should be performed to determine if the NTLM hash can be obtained using LLMNR Poisoning.

05: If a connection can be established to the kiosk network, can a Man-in-the-Middle (MITM) attack be conducted using ARP Poisoning?

  • After establishing a connection to the kiosk's local network, the control should be carried out to determine whether traffic can be intercepted and redirected through ARP Poisoning. If ARP Poisoning is feasible, an examination should be conducted to ascertain if sensitive data can be obtained by analyzing the traffic generated by other kiosk devices.

06: Is Internet Access Available? Is a Proxy Server in Use?

  • When connected to the kiosk's local network, can internet access be directly established?


  • If internet access is available, can access be gained to websites that may contain malicious software (exploit-db) or provide public file sharing (wetransfer.com)?

07: Are There any Misconfiguration on Firewall?

  • When connected to the kiosk's local network, can direct connections to an internet-facing server through FTP, SSH, or RDP be established? If such connections can be made, data can be easily transferred to an internet-exposed server or malicious or ransomware can be copied to the kiosk device via an internet-facing FTP or SSH server.


  • What ports are open in the traffic from the kiosk's local network to the internet? If open ports are identified, reverse shell attempts should be conducted through the kiosk device.
Orb 2
Retro Futuristic Elements

Unit4sec

Kiosk Security: Operating System Security Audits

01: Is the operating system properly licensed?

  • It should be verified whether the operating system is properly licensed or if it is utilizing unauthorized software cracks.

02: Is an up-to-date operating system in use?

  • It should be verified whether the operating system in use is a supported version by its manufacturer.

03: Have operating system updates been applied?

  • It should be checked whether updates have been applied and the dates and frequency of these updates should be reviewed.

04: Hard Disk Characteristics should be examined.

  • Are the hard disks encrypted? If the operating system is Microsoft Windows, is Bitlocker enabled?

05: If the operating system is Microsoft Windows, is Windows Defender and Windows Firewall active?

  • It should be checked whether each feature of Windows Defender is active. If an antivirus program is in use, it should be verified whether the antivirus is inspecting these features.


  • It should be verified whether each feature of Windows Firewall is active. If an antivirus program is in use, it should be verified whether the antivirus is inspecting these features.

06: Is access to the BIOS menu restricted with a password?

  • It should be verified whether access to the BIOS menu without a password is possible by pressing shortcut keys like DEL, F2, or F8 on a keyboard connected to the USB port.

07: Is an Antivirus Installed? Can it be disabled or bypass?

  • It should be verified whether an antivirus program is installed on the kiosk device. If installed, it should be checked whether the antivirus can be disabled. If it cannot be disabled, it should be examined whether the antivirus can be bypassed with malicious software.


  • The date of the antivirus application's last signature update and the frequency of these updates should be checked.

08: Does the user operating the kiosk device have Local Admin privileges?

  • It should be checked whether the kiosk user has permissions to install, uninstall, or run applications, in other words, whether they have Administrator privileges.

09: Is access to the BOOT menu restricted with a password?

  • It should be checked whether access to the BOOT menu is possible by pressing shortcut keys like DEL, F12, F2, or F8 on a keyboard connected to the USB port.


  • If access to the BOOT menu can be accesed without a password, a USB flash drive with Live Kali-Linux installed should be connected to the kiosk device, and the relevant USB drive should be selected from the BOOT menu. This way, Kali-Linux operating system can be booted on the kiosk operating system.


  • If Live Kali-Linux can be booted on the kiosk device and the disks are not encrypted, access to the SAM and SYSTEM files can be obtained, thus allowing for the retrieval of the local admin user's password hash.
    • Navigate to the "C:\Windows\System32\config" directory,
    • Execute the "samdump2 SYSTEM SAM" command in the terminal.

10: Is the Administrator account active?

  • This can be verified using the "net user administrator" command.

11: Is the Guest account active?

  • This can be verified using the "net user guest" command.

12: Is access granted to CMD or Powershell? If access is restricted, are bypass methods successful?

13: Local Security Settings on the kiosk operating system should be reviewed.

  • Password Policies should be examined under Local Security Settings. It should be verified whether simple passwords like "123456" can be assigned to users on the kiosk operating system.


  • Audit Policies should be reviewed under Local Security Settings. It should be checked whether successful and unsuccessful logon attempts are being recorded.
Orb 2
Retro Futuristic Elements

Unit4sec

Kiosk Security: Application Security Audits

01: Do the logs of the applications running on kiosk devices capture sensitive data?

  • By inspecting all folders and files on the kiosk devices, it should be determined what kind of data is stored in the logs of the running applications and whether the applications are making log entries at the DEBUG level.


  • Logs should be examined to check if they contain customer names, surnames, credit card information, passport details, or similar sensitive information.

02: Are there applications on the kiosk device that provide "Remote Access" functions?

  • Is remote access established to the kiosk device using applications like Anydesk or Teamviewer?


  • If connections are made to the kiosk devices using Anydesk or Teamviewer, are these connections protected by a password? If a password is used, is it a secure one?

03: Are outdated applications installed on the kiosk device?

  • The versions of the applications installed on the kiosk device should be verified.


  • The following PowerShell command can be used to list all installed applications and their version information on the operating system:


    • Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table –AutoSize
Orb 2
Retro Futuristic Elements

Unit4sec

Kiosk Security: Escape Kiosk Mode to Operating System Level

01: Can the kiosk user access the Task Manager? If Task Manager access is possible, the kiosk application can be terminated, allowing access to the desktop.

  • Can the Task Manager be launched by pressing keyboard shortcuts (CTRL+ALT+DEL) or random keys? It should be checked whether access to the desktop or other functions can be gained from there. For example, after opening Task Manager, Internet Explorer or the running main kiosk application can be closed, enabling access to the desktop.


  • If shortcut keys like CTRL+ALT+DEL are disabled, pressing the SHIFT key five times can bring up the "Sticky Keys" error message, and then access to the Task Manager can be achieved using the CTRL+ALT+DEL shortcut. Subsequently, the necessary application can be terminated via Task Manager to gain access to the desktop.

02: To exit Kiosk mode, the ALT+F4 shortcut can be used directly. If the ALT+F4 command is successful, the Kiosk application can be closed, providing direct access to the operating system.

03: If any browser can be opened on the kiosk device, can file system exploration within the operating system be attempted by entering entries like "C:" in the URL section?

Kiosk Mode Bypass: Shortcuts Cheatsheet

BONUS

  • ALT+F4: Quit program
  • ALT+SPACE: System Menu
  • ALT+TAB: Switch between open programs
  • CTRL+ALT+DEL: Task Manager or Windows Security Screen
  • CTRL-ALT-F8, CTRL-ESC-F9: Hidden Administrative menu
  • CTRL+B: Open Book Marks Menu
  • CTRL+ESC: Opens start menu
  • CTRL+F4: Closes the current Multiple Document Interface (MDI) window
  • CTRL+P: May bring up print dialog.
  • CTRL+SHIFT+ESC: Opens Windows Task Manager
  • CTRL+Tab: May close current windows or tab
  • CTRL+Windows Key+F: Find computer
  • CTRL+H: Internet Explorer History
  • CTRL+T: Internet Explorer – New Tab
  • CTRL+N: Internet Explorer – New Page
  • CTRL+O: Open File
  • CTRL+S: Save
  • CTRL+R: Execute Commands
  • F1: Starts Windows Help
  • F3: May bring up Windows search
  • F6: Address Bar
  • F11: Toggle full screen within Internet Explorer
  • SHIFT five times: Toggles Sticky Keys on and off
  • Toggle Keys: Hold NUMLOCK for 5 seconds
  • Mouse Keys: SHIFT+ALT+NUMLOCK
  • SHIFT+RIGHT CLICK: Open Command Prompt Here
  • SHIFT+F10: Context Menu
  • Windows Logo+Break (AKA:Pause): System Properties dialog box
  • Windows Logo+D: Minimizes all open windows and displays the desktop
  • Windows Logo+E: Windows Explorer
  • Windows Logo+F1: Windows OS Help
  • Windows Logo+R: Run dialog box
  • Windows Logo+T: Select active application on taskbar
  • Windows Logo+U: Accessibility Utility Manager
  • Windows Logo: Start menu
  • WINDOWS+F: Search
  • Windows Logo+P: Starts Print Manager
  • Windows Logo+C: Opens Control Panel
  • Windows Logo+V: Starts Clipboard
  • Windows Logo+K: Opens Keyboard Properties dialog box
  • Windows Logo+I: Opens Mouse Properties dialog box
  • Windows Logo+A: Starts Accessibility Options (if installed)
  • Windows Logo+SPACEBAR: Displays the list of Microsoft IntelliType shortcut keys
  • Sticky Keys: Press SHIFT 5 times
  • High Contrast: SHIFT+ALT+PRINTSCN
  • Filter Keys: Hold right SHIFT for 12 seconds

Kiosk Mode Bypass: SHELL COMMANDS Cheatsheet

Shell commands are commands that, when entered into the Run dialog, File Explorer, Search box, or Browser address bars, execute specific actions.

  • shell:Administrative Tools
  • shell:DocumentsLibrary
  • shell:Libraries
  • shell:UserProfiles
  • shell:Personal
  • shell:SearchHomeFolder
  • shell:System
  • shell:NetworkPlacesFolder
  • shell:SendTo
  • shell:UsersProfiles
  • shell:Common Administrative Tools
  • shell:MyComputerFolder
  • shell:InternetFolder
  • shell:Profile
  • shell:ControlPanelFolder
  • shell:ProgramFiles
  • shell:Windows
  • shell:::{21EC2020-3AEA-1069-A2DD-08002B30309D} --> Control Panel
  • shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D} --> My Computer
  • shell:::{{208D2C60-3AEA-1069-A2D7-08002B30309D}} --> My Network Places
  • shell:::{871C5380-42A0-1069-A2EA-08002B30309D} --> Internet Explorer

Another Kiosk Bypass commands that can be executed on the browser as listed below:

  • File:/C:/windows
  • File:/C:/windows/
  • File:/C:/windows\
  • File:/C:\windows
  • File:/C:\windows\
  • File:/C:\windows/
  • File://C:/windows
  • File://C:/windows/
  • File://C:/windows\
  • File://C:\windows
  • File://C:\windows/
  • File://C:\windows\
  • C:/windows
  • C:/windows/
  • C:/windows\
  • C:\windows
  • C:\windows\
  • C:\windows/
  • %WINDIR%
  • %TMP%
  • %TEMP%
  • %SYSTEMDRIVE%
  • %SYSTEMROOT%
  • %APPDATA%
  • %HOMEDRIVE%
  • %HOMESHARE